Cipher Suites (Apache: The Definitive Guide, 3rd Edition)

11.9.1. Cipher Directives for Apache v1.3


SSLRequiredCiphers cipher-list
Server config, virtual hostl
Not available in Apache v2

This directive specifies a colon-separated list of cipher suites, used by OpenSSL to limit what the client end can do. Possible suites are listed Table 11-3. This is a per-server option. For example:

SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA

Table 11-3. Cipher suites for Apache v1.3

OpenSSL name	Config name	Keysize	Encrypted-Keysize
SSL3_TXT_RSA_IDEA_128_SHA	IDEA-CBC-SHA	128	128
SSL3_TXT_RSA_NULL_MD5	NULL-MD5	0	0
SSL3_TXT_RSA_NULL_SHA	NULL-SHA	0	0
SSL3_TXT_RSA_RC4_40_MD5	EXP-RC4-MD5	128	40
SSL3_TXT_RSA_RC4_128_MD5	RC4-MD5	128	128
SSL3_TXT_RSA_RC4_128_SHA	RC4-SHA	128	128
SSL3_TXT_RSA_RC2_40_MD5	EXP-RC2-CBC-MD5	128	40
SSL3_TXT_RSA_IDEA_128_SHA	IDEA-CBC-MD5	128	128
SSL3_TXT_RSA_DES_40_CBC_SHA	EXP-DES-CBC-SHA	56	40
SSL3_TXT_RSA_DES_64_CBC_SHA	DES-CBC-SHA	56	56
SSL3_TXT_RSA_DES_192_CBC3_SHA	DES-CBC3-SHA	168	168
SSL3_TXT_DH_DSS_DES_40_CBC_SHA	EXP-DH-DSS-DES-CBC-SHA	56	40
SSL3_TXT_DH_DSS_DES_64_CBC_SHA	DH-DSS-DES-CBC-SHA	56	56
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA	DH-DSS-DES-CBC3-SHA	168	168
SSL3_TXT_DH_RSA_DES_40_CBC_SHA	EXP-DH-RSA-DES-CBC-SHA	56	40
SSL3_TXT_DH_RSA_DES_64_CBC_SHA	DH-RSA-DES-CBC-SHA	56	56
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA	DH-RSA-DES-CBC3-SHA	168	168
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA	EXP-EDH-DSS-DES-CBC-SHA	56	40
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA	EDH-DSS-DES-CBC-SHA		56
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA	EDH-DSS-DES-CBC3-SHA	168	168
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA	EXP-EDH-RSA-DES-CBC	56	40
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA	EDH-RSA-DES-CBC-SHA	56	56
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA	EDH-RSA-DES-CBC3-SHA	168	168
SSL3_TXT_ADH_RC4_40_MD5	EXP-ADH-RC4-MD5	128	40
SSL3_TXT_ADH_RC4_128_MD5	ADH-RC4-MD5	128	128
SSL3_TXT_ADH_DES_40_CBC_SHA	EXP-ADH-DES-CBC-SHA	128	40
SSL3_TXT_ADH_DES_64_CBC_SHA	ADH-DES-CBC-SHA	56	56
SSL3_TXT_ADH_DES_192_CBC_SHA	ADH-DES-CBC3-SHA	168	168
SSL3_TXT_FZA_DMS_NULL_SHA	FZA-NULL-SHA	0	0
SSL3_TXT_FZA_DMS_RC4_SHA	FZA-RC4-SHA	128	128
SSL2_TXT_DES_64_CFB64_WITH_MD5_1	DES-CFB-M1	56	56
SSL2_TXT_RC2_128_CBC_WITH_MD5	RC2-CBC-MD5	128	128
SSL2_TXT_DES_64_CBC_WITH_MD5	DES-CBC-MD5	56	56
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5	DES-CBC3-MD5	168	168
SSL2_TXT_RC4_64_WITH_MD5	RC4-64-MD5	64	64
SSL2_TXT_NULL	NULL	0	0

SSLRequireCipher

SSLRequireCipher cipher-list
Server config, virtual host, .htaccess, directory
Not available in Apache v2

This directive specifies a space-separated list of cipher suites, used to verify the cipher after the connection is established. This is a per-directory option.

SSLCheckClientDN

SSLCheckClientDN fileBanCipher cipher-list
Config, virtual
Not available in Apache v2

The client DN is checked against the file. If it appears in the file, access is permitted; if it does not, it isn't. This allows client certificates to be checked and basic auth to be used as well, which cannot happen with the alternative, SSLFakeBasicAuth. The file is simply a list of client DNs, one per line.

SSLBanCipher

SSLBanCipher cipher-list
Config, virtual, .htaccess, directory
Not available in Apache v2

This directive specifies a space-separated list of cipher suites, as per SSLRequire-Cipher, except it bans them. The logic is as follows: if banned, reject; if required, accept; if no required ciphers are listed, accept. For example:

SSLBanCipher NULL-MD5 NULL-SHA

It is sensible to ban these suites because they are test suites that actually do no encryption.

11.9.2. Cipher Directives for Apache v2

SSLCipherSuite

SSLCipherSuite cipher-spec
Default: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Server config, virtual host, directory, .htaccess
Override: AuthConfig
Apache v2 0nly

Unless the webmaster has reason to be paranoid about security, this directive can be ignored.

This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces an SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

An SSL cipher specification in cipher-spec is composed of four major components plus a few extra minor ones. The tags for the key-exchange algorithm component, which includes RSA and Diffie-Hellman variants, are shown in Table 11-4.

Table 11-4. Key-exchange algorithms

Tag	Description
`kRSA`	RSA key exchange
`KDHr`	Diffie-Hellman key exchange with RSA key
`kDHd`	Diffie-Hellman key exchange with DSA key
`kEDH`	Ephemeral (temporary key) Diffie-Hellman key exchange (no certificate)

The tags for the authentication algorithm component, which includes RSA, Diffie-Hellman, and DSS, are shown in Table 11-5.

Table 11-5. Authentication algorithms

Tag	Description
`aNull`	No authentication
`aRSA`	RSA authentication
`aDSS`	DSS authentication
`aDH`	Diffie-Hellman authentication

The tags for the cipher encryption algorithm component, which includes DES, Triple-DES, RC4, RC2, and IDEA, are shown in Table 11-6.

Table 11-6. Cipher encoding algorithms

Tag	Description
`eNULL`	No encoding
`DES`	DES encoding
`3DES`	Triple-DES encoding
`RC4`	RC4 encoding
`RC2`	RC2 encoding
`IDEA`	IDEA encoding

The tags for the MAC digest algorithm component, which includes MD5, SHA, and SHA1, are shown in Table 11-7.

Table 11-7. MAC digest algorithms

Tag	Description
`MD5`	MD5 hash function
`SHA1`	SHA1 hash function
`SHA`	SHA hash function

An SSL cipher can also be an export cipher and is either an SSLv2 or SSLv3/TLSv1 cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use, one can either specify all the ciphers, one at a time, or use the aliases shown in Table 11-8 to specify the preference and order for the ciphers.

Table 11-8. Cipher aliases

Tag	Description
`SSLv2`	All SSL Version 2.0 ciphers
`SSLv3`	All SSL Version 3.0 ciphers
`TLSv1`	All TLS Version 1.0 ciphers
`EXP`	All export ciphers
`EXPORT40`	All 40-bit export ciphers only
`EXPORT56`	All 56-bit export ciphers only
`LOW`	All low-strength ciphers (no export, single DES)
`MEDIUM`	All ciphers with 128-bit encryption
`HIGH`	All ciphers using Triple-DES
`RSA`	All ciphers using RSA key exchange
`DH`	All ciphers using Diffie-Hellman key exchange
`EDH`	All ciphers using Ephemeral Diffie-Hellman key exchange
`ADH`	All ciphers using Anonymous Diffie-Hellman key exchange
`DSS`	All ciphers using DSS authentication
`NULL`	All ciphers using no encryption

These tags can be joined together with prefixes to form the cipher-spec. Available prefixes are the following:

none: Add cipher to list
+: Add ciphers to list and pull them to current location in list
-: Remove cipher from list (can be added later again)
!: Kill cipher from list completely (cannot be added later again)

A simpler way to look at all of this is to use the openssl ciphers -v command, which provides a way to create the correct cipher-spec string:

$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
...                     ...               ...     ...           ...
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

The default cipher-spec string is "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", which means the following: first, remove from consideration any ciphers that do not authenticate, i.e., for SSL only the Anonymous Diffie-Hellman ciphers are removed. Next, use ciphers using RC4 and RSA. Next, include the high-, medium-, and then the low-security ciphers. Finally, pull all SSLv2 and export ciphers to the end of the list.

Example

SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

The complete lists of particular RSA and Diffie-Hellman ciphers for SSL are given in Tables Table 11-9 and Table 11-10.

Table 11-9. Particular RSA SSL ciphers

Cipher Tag	Protocol	Key Ex.	Auth.	Enc.	MAC	Type
`DES-CBC3-SHA`	SSLv3	RSA	RSA	3DES(168)	SHA1
`DES-CBC3-MD5`	SSLv2	RSA	RSA	3DES(168)	MD5
`IDEA-CBC-SHA`	SSLv3	RSA	RSA	IDEA(128)	SHA1
`RC4-SHA`	SSLv3	RSA	RSA	RC4(128)	SHA1
`RC4-MD5`	SSLv3	RSA	RSA	RC4(128)	MD5
`IDEA-CBC-MD5`	SSLv2	RSA	RSA	IDEA(128)	MD5
`RC2-CBC-MD5`	SSLv2	RSA	RSA	RC2(128)	MD5
`RC4-MD5`	SSLv2	RSA	RSA	RC4(128)	MD5
`DES-CBC-SHA`	SSLv3	RSA	RSA	DES(56)	SHA1
`RC4-64-MD5`	SSLv2	RSA	RSA	RC4(64)	MD5
`DES-CBC-MD5`	SSLv2	RSA	RSA	DES(56)	MD5
`EXP-DES-CBC-SHA`	SSLv3	RSA(512)	RSA	DES(40)	SHA1	export
`EXP-RC2-CBC-MD5`	SSLv3	RSA(512)	RSA	RC2(40)	MD5	export
`EXP-RC4-MD5`	SSLv3	RSA(512)	RSA	RC4(40)	MD5	export
`EXP-RC2-CBC-MD5`	SSLv2	RSA(512)	RSA	RC2(40)	MD5	export
`EXP-RC4-MD5`	SSLv2	RSA(512)	RSA	RC4(40)	MD5	export
`NULL-SHA`	SSLv3	RSA	RSA	None	SHA1
`NULL-MD5`	SSLv3	RSA	RSA	None	MD5

Table 11-10. Particular Diffie-Hellman ciphers

Cipher Tag	Protocol	Key Ex.	Auth.	Enc.	MAC	Type
`ADH-DES-CBC3-SHA`	SSLv3	DH	None	3DES(168)	SHA1
`ADH-DES-CBC-SHA`	SSLv3	DH	None	DES(56)	SHA1
`ADH-RC4-MD5`	SSLv3	DH	None	RC4(128)	MD5
`EDH-RSA-DES-CBC3-SHA`	SSLv3	DH	RSA	3DES(168)	SHA1
`EDH-DSS-DES-CBC3-SHA`	SSLv3	DH	DSS	3DES(168)	SHA1
`EDH-RSA-DES-CBC-SHA`	SSLv3	DH	RSA	DES(56)	SHA1
`EDH-DSS-DES-CBC-SHA`	SSLv3	DH	DSS	DES(56)	SHA1
`EXP-EDH-RSA-DES-CBC-SHA`	SSLv3	DH(512)	RSA	DES(40)	SHA1	export
`EXP-EDH-DSS-DES-CBC-SHA`	SSLv3	DH(512)	DSS	DES(40)	SHA1	export
`EXP-ADH-DES-CBC-SHA`	SSLv3	DH(512)	None	DES(40)	SHA1	export
`EXP-ADH-RC4-MD5`	SSLv3	DH(512)	None	RC4(40)	MD5	export

11.9. Cipher Suites