On Tue, Sep 1, 2015 at 6:14 AM, Andreas Thulin <[email protected]> wrote:
> Hi misc readers! > > <snip> > My current httpd.conf contains a line saying > > tls ciphers "STRONG:ECDHE:!aNULL:!SSLv3:@STRENGTH" > > which renders out "Configuration OK" with '# /usr/sbin/httpd -n'. > A really stupid question: Did you restart httpd? e.g. "/etc/rc.d/httpd restart"? Using your list, works here (though with an Aug 10 snapshot). <snip> > However, when running a > server test > (https://www.ssllabs.com/ssltest/analyze.html?d=andreasthulin.se), > there's a much longer list of ciphers, including both non-FS and medium > strength ciphers. > > I'm thinking that either > > 1. my assumption that my httpd.conf is all dandy is wrong (highly > probable), > 2. SSL Labs is lying to me (improbable), or > 3. there's some sort of bug in httpd (improbable). > > Does anyone have any pointers? > I find the following tool invaluable in checking my setup locally. https://github.com/jvehent/cipherscan You can also use nmap, which is in ports: $ nmap -sT -p443 -script ssl-enum-ciphers <your host> Hope this helps. Kent.
