Apache / OpenSSL configuration keywords `SSLProtocol` vs. `SSLCipherSuite`
Clash Royale CLAN TAG#URR8PPP
According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).
What is the difference between SSLProtocol
and SSLCipherSuite
, should I use them either or both?
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3
Or is it better to list individual ciphers for SSLCipherSuite
?
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...
Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.
Above configurations are not necessarily good practice, they're just an example to explain my doubt.
apache-httpd configuration openssl https
add a comment |
According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).
What is the difference between SSLProtocol
and SSLCipherSuite
, should I use them either or both?
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3
Or is it better to list individual ciphers for SSLCipherSuite
?
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...
Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.
Above configurations are not necessarily good practice, they're just an example to explain my doubt.
apache-httpd configuration openssl https
This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?
– jippie
Mar 24 '15 at 13:13
add a comment |
According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).
What is the difference between SSLProtocol
and SSLCipherSuite
, should I use them either or both?
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3
Or is it better to list individual ciphers for SSLCipherSuite
?
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...
Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.
Above configurations are not necessarily good practice, they're just an example to explain my doubt.
apache-httpd configuration openssl https
According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).
What is the difference between SSLProtocol
and SSLCipherSuite
, should I use them either or both?
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3
Or is it better to list individual ciphers for SSLCipherSuite
?
SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...
Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.
Above configurations are not necessarily good practice, they're just an example to explain my doubt.
apache-httpd configuration openssl https
apache-httpd configuration openssl https
edited Aug 13 '16 at 13:06
Jeff Schaller
42.1k1156133
42.1k1156133
asked Mar 23 '15 at 17:39
jippiejippie
9,02172956
9,02172956
This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?
– jippie
Mar 24 '15 at 13:13
add a comment |
This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?
– jippie
Mar 24 '15 at 13:13
This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?
– jippie
Mar 24 '15 at 13:13
This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?
– jippie
Mar 24 '15 at 13:13
add a comment |
1 Answer
1
active
oldest
votes
SSLProtocol
configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.
For example this:
SSLProtocol all -SSLv2 -SSLv3
means enable all supported protocols except SSLv2 and SSLv3.
SSLCipherSuite
configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.
In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3
(which means all ciphers allowed by the SSLv3 protocol) or TLSv1
(all ciphers allowed by the TLSv1 protocol).
If you want to control which protocols are supported, then you should use SSLProtocols
, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f192036%2fapache-openssl-configuration-keywords-sslprotocol-vs-sslciphersuite%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
SSLProtocol
configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.
For example this:
SSLProtocol all -SSLv2 -SSLv3
means enable all supported protocols except SSLv2 and SSLv3.
SSLCipherSuite
configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.
In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3
(which means all ciphers allowed by the SSLv3 protocol) or TLSv1
(all ciphers allowed by the TLSv1 protocol).
If you want to control which protocols are supported, then you should use SSLProtocols
, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.
add a comment |
SSLProtocol
configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.
For example this:
SSLProtocol all -SSLv2 -SSLv3
means enable all supported protocols except SSLv2 and SSLv3.
SSLCipherSuite
configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.
In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3
(which means all ciphers allowed by the SSLv3 protocol) or TLSv1
(all ciphers allowed by the TLSv1 protocol).
If you want to control which protocols are supported, then you should use SSLProtocols
, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.
add a comment |
SSLProtocol
configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.
For example this:
SSLProtocol all -SSLv2 -SSLv3
means enable all supported protocols except SSLv2 and SSLv3.
SSLCipherSuite
configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.
In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3
(which means all ciphers allowed by the SSLv3 protocol) or TLSv1
(all ciphers allowed by the TLSv1 protocol).
If you want to control which protocols are supported, then you should use SSLProtocols
, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.
SSLProtocol
configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.
For example this:
SSLProtocol all -SSLv2 -SSLv3
means enable all supported protocols except SSLv2 and SSLv3.
SSLCipherSuite
configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.
In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3
(which means all ciphers allowed by the SSLv3 protocol) or TLSv1
(all ciphers allowed by the TLSv1 protocol).
If you want to control which protocols are supported, then you should use SSLProtocols
, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.
answered May 22 '15 at 0:47
harmicharmic
1013
1013
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f192036%2fapache-openssl-configuration-keywords-sslprotocol-vs-sslciphersuite%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?
– jippie
Mar 24 '15 at 13:13