Apache / OpenSSL configuration keywords `SSLProtocol` vs. `SSLCipherSuite`

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1















According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).



What is the difference between SSLProtocol and SSLCipherSuite, should I use them either or both?



SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3


Or is it better to list individual ciphers for SSLCipherSuite?



SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...


Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.



Above configurations are not necessarily good practice, they're just an example to explain my doubt.










share|improve this question
























  • This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

    – jippie
    Mar 24 '15 at 13:13
















1















According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).



What is the difference between SSLProtocol and SSLCipherSuite, should I use them either or both?



SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3


Or is it better to list individual ciphers for SSLCipherSuite?



SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...


Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.



Above configurations are not necessarily good practice, they're just an example to explain my doubt.










share|improve this question
























  • This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

    – jippie
    Mar 24 '15 at 13:13














1












1








1








According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).



What is the difference between SSLProtocol and SSLCipherSuite, should I use them either or both?



SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3


Or is it better to list individual ciphers for SSLCipherSuite?



SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...


Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.



Above configurations are not necessarily good practice, they're just an example to explain my doubt.










share|improve this question
















According to the Apache docs I can configure the cipher suite with (a.o.) two different keywords and examples on Internet often use both (but not necessarily identical to below example).



What is the difference between SSLProtocol and SSLCipherSuite, should I use them either or both?



SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!SSLv2:!SSLv3


Or is it better to list individual ciphers for SSLCipherSuite?



SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA ...


Are both keywords fundamentally different in what they configure? I have this feeling I am overlooking something essential here.



Above configurations are not necessarily good practice, they're just an example to explain my doubt.







apache-httpd configuration openssl https






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 13 '16 at 13:06









Jeff Schaller

42.1k1156133




42.1k1156133










asked Mar 23 '15 at 17:39









jippiejippie

9,02172956




9,02172956












  • This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

    – jippie
    Mar 24 '15 at 13:13


















  • This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

    – jippie
    Mar 24 '15 at 13:13

















This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

– jippie
Mar 24 '15 at 13:13






This was helpful: Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

– jippie
Mar 24 '15 at 13:13











1 Answer
1






active

oldest

votes


















0














SSLProtocol configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.



For example this:



SSLProtocol all -SSLv2 -SSLv3


means enable all supported protocols except SSLv2 and SSLv3.



SSLCipherSuite configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.



In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3 (which means all ciphers allowed by the SSLv3 protocol) or TLSv1 (all ciphers allowed by the TLSv1 protocol).



If you want to control which protocols are supported, then you should use SSLProtocols, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f192036%2fapache-openssl-configuration-keywords-sslprotocol-vs-sslciphersuite%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    SSLProtocol configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.



    For example this:



    SSLProtocol all -SSLv2 -SSLv3


    means enable all supported protocols except SSLv2 and SSLv3.



    SSLCipherSuite configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.



    In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3 (which means all ciphers allowed by the SSLv3 protocol) or TLSv1 (all ciphers allowed by the TLSv1 protocol).



    If you want to control which protocols are supported, then you should use SSLProtocols, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.






    share|improve this answer



























      0














      SSLProtocol configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.



      For example this:



      SSLProtocol all -SSLv2 -SSLv3


      means enable all supported protocols except SSLv2 and SSLv3.



      SSLCipherSuite configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.



      In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3 (which means all ciphers allowed by the SSLv3 protocol) or TLSv1 (all ciphers allowed by the TLSv1 protocol).



      If you want to control which protocols are supported, then you should use SSLProtocols, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.






      share|improve this answer

























        0












        0








        0







        SSLProtocol configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.



        For example this:



        SSLProtocol all -SSLv2 -SSLv3


        means enable all supported protocols except SSLv2 and SSLv3.



        SSLCipherSuite configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.



        In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3 (which means all ciphers allowed by the SSLv3 protocol) or TLSv1 (all ciphers allowed by the TLSv1 protocol).



        If you want to control which protocols are supported, then you should use SSLProtocols, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.






        share|improve this answer













        SSLProtocol configures which protocols (SSL or TLS) and which specific versions of those protocols will be allowed.



        For example this:



        SSLProtocol all -SSLv2 -SSLv3


        means enable all supported protocols except SSLv2 and SSLv3.



        SSLCipherSuite configures which cipher suites can be used. Each of the protocols support different overlapping sets of ciphers; with this you can apply a fine grained setting of exactly which ciphers you want to allow.



        In addition to specifying lists of individual ciphers, you can also use aliases such as SSLv3 (which means all ciphers allowed by the SSLv3 protocol) or TLSv1 (all ciphers allowed by the TLSv1 protocol).



        If you want to control which protocols are supported, then you should use SSLProtocols, because it explicitly states that the given protocols will not be allowed, rather than relying on blocking the use of all the ciphers that the protocols allow.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered May 22 '15 at 0:47









        harmicharmic

        1013




        1013



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f192036%2fapache-openssl-configuration-keywords-sslprotocol-vs-sslciphersuite%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?