/ Zope / Apsis / Pound Mailing List / Archive / 2003 / 2003-09 / Pound Cipher List

[ << ] [ >> ]

[ Status of Pound-current? / Jason Vasquez ... ] [ bad_record_mac / Andreas Roedl ... ]

Pound Cipher List
Andreas Roedl <andreas.roedl(at)native-instruments.de>		 2003-09-04 14:26:20 [ FULL ] 
Hello!

Its a well known fact, that MSIE browsers version 5.x (all platforms) are 
having problems with particular SSL ciphers. Especially the 56bit export 
versions have a broken SSLv3 implementation. 20.7 percent of our visitors are 
using MSIE 5.x. Though more and more users are switching to MSIE 6.x (62.1 
%), it is still important to support the buggy browsers.

The default cipher list of OpenSSL [1] looks like this (see
<openssl/ssl.h>):

  ALL:!ADH:RC4+RSA:+SSLv2:(at)STRENGTH

The modssl FAQ [2] describes the problem in detail and recommends the 
following cipher list:

  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

This turns off only the 56bit TLS ciphers. If you're running a pounded website 
offering SSL encryption, you should add this cipher list at the end of the 
"ListenHTTPS" configuration line(s).


[1] http://www.openssl.org/docs/apps/ciphers.html
[2] http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie


Andi[...]
MailBoxer