Book HomeApache: The Definitive GuideSearch this book

13.8. Cipher Suites

The SSL protocol does not restrict clients and servers to a single encryption brew for the secure exchange of information. There are a number of possible cryptographic ingredients, but as in any cookpot, some ingredients go better together than others. The seriously interested can refer to Bruce Schneier's Applied Crytography ( John Wiley & Sons), in conjunction with the SSL specification (from http://www.netscape.com/). The list of cipher suites is in the SSLeay software at ... /ssl/ssl.h. The macro names give a better idea of what is meant than the text strings.

SSLeay name

Config name

Keysize

EncryptedKeysize

SSL3_TXT_RSA_IDEA_128_SHA
IDEA-CBC-SHA

128

128

SSL3_TXT_RSA_NULL_MD5
NULL-MD5

0

0

SSL3_TXT_RSA_NULL_SHA
NULL-SHA

0

0

SSL3_TXT_RSA_RC4_40_MD5
EXP-RC4-MD5

128

40

SSL3_TXT_RSA_RC4_128_MD5
RC4-MD5

128

128

SSL3_TXT_RSA_RC4_128_SHA
RC4-SHA

128

128

SSL3_TXT_RSA_RC2_40_MD5
EXP-RC2-CBC-MD5

128

40

SSL3_TXT_RSA_IDEA_128_SHA
IDEA-CBC-MD5

128

128

SSL3_TXT_RSA_DES_40_CBC_SHA
EXP-DES-CBC-SHA

56

40

SSL3_TXT_RSA_DES_64_CBC_SHA
DES-CBC-SHA

56

56

SSL3_TXT_RSA_DES_192_CBC3_SHA
DES-CBC3-SHA

168

168

SSL3_TXT_DH_DSS_DES_40_CBC_SHA
EXP-DH-DSS-DES-CBC-SHA

56

40

SSL3_TXT_DH_DSS_DES_64_CBC_SHA
DH-DSS-DES-CBC-SHA

56

56

SSL3_TXT_DH_DSS_DES_192_CBC3_SHA
DH-DSS-DES-CBC3-SHA

168

168

SSL3_TXT_DH_RSA_DES_40_CBC_SHA
EXP-DH-RSA-DES-CBC-SHA

56

40

SSL3_TXT_DH_RSA_DES_64_CBC_SHA
DH-RSA-DES-CBC-SHA

56

56

SSL3_TXT_DH_RSA_DES_192_CBC3_SHA
DH-RSA-DES-CBC3-SHA

168

168

SSL3_TXT_EDH_DSS_DES_40_CBC_SHA
EXP-EDH-DSS-DES-CBC-SHA

56

40

SSL3_TXT_EDH_DSS_DES_64_CBC_SHA
EDH-DSS-DES-CBC-SHA

56

SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
EDH-DSS-DES-CBC3-SHA

168

168

SSL3_TXT_EDH_RSA_DES_40_CBC_SHA
EXP-EDH-RSA-DES-CBC

56

40

SSL3_TXT_EDH_RSA_DES_64_CBC_SHA
EDH-RSA-DES-CBC-SHA

56

56

SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
EDH-RSA-DES-CBC3-SHA

168

168

SSL3_TXT_ADH_RC4_40_MD5
EXP-ADH-RC4-MD5

128

40

SSL3_TXT_ADH_RC4_128_MD5
ADH-RC4-MD5

128

128

SSL3_TXT_ADH_DES_40_CBC_SHA
EXP-ADH-DES-CBC-SHA

128

40

SSL3_TXT_ADH_DES_64_CBC_SHA
ADH-DES-CBC-SHA

56

56

SSL3_TXT_ADH_DES_192_CBC_SHA
ADH-DES-CBC3-SHA

168

168

SSL3_TXT_FZA_DMS_NULL_SHA
FZA-NULL-SHA

0

0

SSL3_TXT_FZA_DMS_RC4_SHA
FZA-RC4-SHA

128

128

MD5_1
DES-CFB-M1

56

56

SSL2_TXT_RC2_128_CBC_WITH_MD5
RC2-CBC-MD5

128

128

SSL2_TXT_DES_64_CBC_WITH_MD5
DES-CBC-MD5

56

56

SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
DES-CBC3-MD5

168

168

SSL2_TXT_RC4_64_WITH_MD5
RC4-64-MD5

64

64

SSL2_TXT_NULL
NULL

0

0

For most purposes, the webmaster does not have to bother with all this, but some of the following directives need entries from this list.

13.8.1. SSLRequiredCiphers


SSLRequiredCiphers cipher list
Server config, virtual host

This directive specifies a colon-separated list of cipher suites, used by SSLeay to limit what the client end can do. Possible suites are listed in the preceding section. This is a per-server option:

SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

13.8.2. SSLRequireCipher

SSLRequireCipher cipher list
Server config, virtual host, .htaccess, directory

This directive specifies a space-separated list of cipher suites, used to verify the cipher after the connection is established. This is a per-directory option.

13.8.3. SSLBanCipher

SSLBanCipher <cipher list>
Config, virtual, .htaccess, directory

This directive specifies a space-separated list of cipher suites, as per SSLRequire-Cipher, except it bans them. The logic is as follows: if banned, reject; if required, accept; if no required ciphers are listed, accept. For example:

SSLBanCipher NULL-MD5 NULL-SHA

It is sensible to ban these suites because they are test suites that actually do no encryption.



Library Navigation Links

Copyright © 2001 O'Reilly & Associates. All rights reserved.