Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A better SSLCipherSuite' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A better SSLCipherSuite
Authored by: MartySells on Dec 03, '04 11:21:16PM
The original hint had:
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
I would suggest the following instead:
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL     
This setting will disable SSL version 2 (which has seciruty problems) as well as weak ciphers (LOW, EXP).

Having +eNULL is particulary discouraged since NULL ciphers are ciphers offering no encryption! The setting in the original hint doesn't seem to enable NULL ciphers on a server I tested it on but looks dangerous to me.

Great hint BTW.

-m

[ Reply to This | # ]
A better SSLCipherSuite
Authored by: legacyb4 on Dec 05, '04 01:56:31AM

Thanks for the tweak on the CipherSuite; I was pulling from a .conf file on a Linux box that I have access to and didn't fine-comb through all the details.

Again, the initial goal of writing this hint was to help folks get their teeth around on how to get SSL up and running on their own OS X boxes; fine tuning for performance, security, or other customized tweaks is left for the braver souls to learn and share!



[ Reply to This | # ]
Good post - som add. notes and links
Authored by: michaelmazzen on Dec 30, '04 03:29:54PM

Hi
Great info on SSL - i've also implemented the "better" cipher,

Also I think that the info in this link: http://developer.apple.com/internet/serverside/modssl.html could be of interest to all.

Quote from above article:

"You'll be asked for some information when you start this. Most of it is pretty self explanatory, but one item, in particular, is not. Here's what you'll be asked for:

Country Name (2 letter code) [AU]: (enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state here)
Locality Name (eg, city) []: (enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section) []: (enter something here)
Common Name (eg, YOUR name) []: (this is the important one)
Email Address []: (your e-mail address)

The entry for "Common Name" is the one that seems like it should be one thing, but is, in fact, another. For this entry, you want to enter your "Server Name" as it appears in your httpd.conf (which you'll be modifying soon). As this is just a development environment, you can enter 127.0.0.1, which is the default IP for "localhost". Now, keep in mind that using 127.0.0.1 is not the same as using "localhost". The strings either match, or they don't — Unix is like that."
...
...
"First, you need to comment out the "Port" directive by placing a "#" in front of the line.

Port 80 should be changed to #Port 80. You will need to add the following just below where the Port directive was:

## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##


<IfModule mod_ssl.c>
Listen 443
Listen 80
</IfModule>

Adding these lines tells the server to be aware of traffic on port 80 (the standard HTTP port) and port 443 (the HTTPS port). This allows your SSL aware Apache installation to serve non-secure documents on port 80, while it is serving secure documents on 443."

- Might be trivial to some but crucial none the less :-)
- Michael



[ Reply to This | # ]