Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cipher Configuration on Apache HTTPD

Posted on 2016-11-28
4
Medium Priority
?
117 Views
Last Modified: 2016-11-30
Hello Experts:

I need to configure Apache HTTPD to only take the following ciphers:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

This is what I have in my ssl.conf configuration file:


SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite  AES128+EECDH:AES128+EDH:!3DES:!DES

I am confused on how to translate the above ciphers into the proper Apache syntax.  

Apache/2.2.15
CentOS release 6.5 (Final)

OpenSSL 1.0.1e-fips 11 Feb 2013
java version "1.7.0_45"


Thanks.
0
Comment
Question by:willie0-360
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
Phil Phillips earned 2000 total points
ID: 41904922
Apache uses the format that OpenSSL uses.  This page has a translation from the specification name to the OpenSSL equivalent: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

So, in your case, the SSLCipherSuite line would look like:

SSLCipherSuite ECDHE-RSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA

Open in new window

0
 

Author Comment

by:willie0-360
ID: 41904971
That looks very promising Phil.  By any chance, can you help me understand what these other expressions mean:

(0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS

(0x35)

(0x2f)


Thanks very much.
0
 
LVL 14

Expert Comment

by:Phil Phillips
ID: 41904996
ECDH refers to the encryption protocol (Elliptic curve Diffie–Hellman)
secp256r1 refers to the elliptic curve used by the cipher
FS indicates that the cipher supports Forward Secrecy

I'm not sure what (0xc014)/(0x35)/(0x2f) are, but I'm guessing it's a constant associated with the cipher.
0
 

Author Comment

by:willie0-360
ID: 41907964
Thanks a lot for your help.  
It worked!
Excellen!
Grade: A
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After being asked a question last year, I went into one of my moods where I did some research and code just for the fun and learning of it all.  Subsequently, from this journey, I put together this article on "Range Searching Using Visual Basic.NET …
Java had always been an easily readable and understandable language.  Some relatively recent changes in the language seem to be changing this pretty fast, and anyone that had not seen any Java code for the last 5 years will possibly have issues unde…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question