[BlueOnyx:21362] Re: Apache Webserver SSLCipherSuite - request

[Michael Stauber]

Hi Dirk,

> can you add a @STRENGTH at the end of the apache vhost SSLCipherSuite list, which will ask OpenSSL to sort the ciphers by key length?
> Or are there some concerns about this setting?

I'm not sure yet, but I will certainly test it out and see what it does.
If it causes no issues and provides an improvement, then I will sure add
it ASAP.

> Maybe the ciphers could be a little bit re-arranged.
> What I did find is the following. Maybe it is an option?
> HIGH:!LOW:!SEED:!DSS:!SSLv2:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:@STRENGTH

Everything starting with an exclamation mark are the prohibited
protocols and ciphers, so their order of appearance doesn't matter at
all. If we ignore these for a moment, that line only has "HIGH" and
@STRENGTH in the list of things that aren't forbidden.

OTOH: Broser and Server are supposed to automatically negotiate the best
and most robust protocol and cipher they both support. So I wonder if
adding @STRENGTH does something at that point. But I'll test it and if
it indeed helps, I'll add it.

Many thanks for the suggestion!

-- 
With best regards

Michael Stauber