[Xymon] sslcert question

Phil Crooker Phil.Crooker at orix.com.au
Wed Apr 13 09:04:30 CEST 2011


Hi TIm,

Same thing with your config. I tried a few settings and it always
displays the same complete list. It kinda looks like apache is just
returning all the cipher suites on the system - similar output to
"openssl cipher -v", rather than the configured/available ones.

Odd.

cheers, Phil



>>> On 4/13/2011 at 3:25 PM, in message
<8D17C43B4F1AC3498DE039AEA9381290732C59018B at VA3DIAXVS051.RED001.local>,
Tim
McCloskey <tm at freedom.com> wrote:
> Phil, 
> 
> That looks like an apache/openssl config concern.  What happens when
you 
> force a more generic SSLCipherSuite?
> 
> SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
> 
> Tim
> 
> 
> ________________________________________
> From: xymon-bounces at xymon.com [xymon-bounces at xymon.com] On Behalf Of
Phil 
> Crooker [Phil.Crooker at orix.com.au] 
> Sent: Tuesday, April 12, 2011 10:36 PM
> To: xymon at xymon.com 
> Subject: [Xymon] sslcert question
> 
> Hi all,
> 
> I've been playing with the ssl networking tests and have an issue
with
> a host. I've setup SSL3/TLS1 on this particular server and
explicitly
> specified 256 and 168 bit ciphers.  On the sslcert page for that host
it
> lists the following ciphers even though anything less than 168 bits
is
> disabled. I confirmed separately using a browser that you can't
connect
> with the smaller cipher sizes and can with larger ones. We have
another
> site using IBM's version of apache (IHS) which does appear with the
> correct available ciphers in the sslcert page. Any idea why are the
> smaller ciphers showing as being enabled?
> 
> This is SuSE Linux with: Apache/2.2.10 (Linux/SUSE) mod_ssl/2.2.10
> OpenSSL/0.9.8h
> 
> apache config bits:
> 
>         SSLCipherSuite
>
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLI
>
A256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD
> 5
>         SSLProtocol -all +SSLv3 +TLSv1
> 
> 
> thanks, Phil
> --------------------------------------------
> 
> 
> SSL certificate for https://gwweb.orix.com.au/gw/webacc expires in
275
> days
> 
> 
> Server certificate:
>         subject:/C=AU/postalCode=2113/ST=NSW/L=Macquarie
> Park/streetAddress=1 Eden Park Drive/2.5.4.18=Locked Bag 2068, North
> Ryde, NSW 1670/O=ORIX Australia Corporation Limited/OU=Comodo
PremiumSSL
> Wildcard/CN=*.orix.com.au
>         start date: 2009-01-12 00:00:00 GMT
>         expire date:2012-01-12 23:59:59 GMT
> 
> Available ciphers:
> Cipher 0: DHE-RSA-AES256-SHA (256 bits)
> Cipher 1: DHE-DSS-AES256-SHA (256 bits)
> Cipher 2: AES256-SHA (256 bits)
> Cipher 3: DHE-RSA-CAMELLIA256-SHA (256 bits)
> Cipher 4: DHE-DSS-CAMELLIA256-SHA (256 bits)
> Cipher 5: CAMELLIA256-SHA (256 bits)
> Cipher 6: EDH-RSA-DES-CBC3-SHA (168 bits)
> Cipher 7: EDH-DSS-DES-CBC3-SHA (168 bits)
> Cipher 8: DES-CBC3-SHA (168 bits)
> Cipher 9: DES-CBC3-MD5 (168 bits)
> Cipher 10: DHE-RSA-AES128-SHA (128 bits)
> Cipher 11: DHE-DSS-AES128-SHA (128 bits)
> Cipher 12: AES128-SHA (128 bits)
> Cipher 13: DHE-RSA-CAMELLIA128-SHA (128 bits)
> Cipher 14: DHE-DSS-CAMELLIA128-SHA (128 bits)
> Cipher 15: CAMELLIA128-SHA (128 bits)
> Cipher 16: RC2-CBC-MD5 (128 bits)
> Cipher 17: RC4-SHA (128 bits)
> Cipher 18: RC4-MD5 (128 bits)
> Cipher 19: RC4-MD5 (128 bits)
> Cipher 20: EDH-RSA-DES-CBC-SHA (56 bits)
> Cipher 21: EDH-DSS-DES-CBC-SHA (56 bits)
> Cipher 22: DES-CBC-SHA (56 bits)
> Cipher 23: DES-CBC-MD5 (56 bits)
> Cipher 24: EXP-EDH-RSA-DES-CBC-SHA (40 bits)
> Cipher 25: EXP-EDH-DSS-DES-CBC-SHA (40 bits)
> Cipher 26: EXP-DES-CBC-SHA (40 bits)
> Cipher 27: EXP-RC2-CBC-MD5 (40 bits)
> Cipher 28: EXP-RC2-CBC-MD5 (40 bits)
> Cipher 29: EXP-RC4-MD5 (40 bits)
> Cipher 30: EXP-RC4-MD5 (40 bits)
> 
> 
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com 
> http://lists.xymon.com/mailman/listinfo/xymon




More information about the Xymon mailing list