Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz
J.Lance, On 4/18/14, 2:55 PM, J.Lance Wilkinson wrote: > Christopher Schultz wrote: > ...snip... >> >> I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an >> update available to 1.0.1g (I haven't read the changelogs but I'll bet >> the difference is mostly the version-bump sinc

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread J.Lance Wilkinson
Christopher Schultz wrote: ...snip... I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an update available to 1.0.1g (I haven't read the changelogs but I'll bet the difference is mostly the version-bump since everyone is paranoid about 1.0.1e, now). I'll see if that changes a

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz
John, On 4/18/14, 1:16 PM, John Iliffe wrote: > Further to my previous post, the log reports: > > [Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid > 140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- > resuming normal operations > [Sun Apr 13 03:20:08.

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread John Iliffe
Further to my previous post, the log reports: [Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- resuming normal operations [Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 140478837470976]

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread John Iliffe
Re the version of OpenSSL, I reported this last week to this list. Seems that OpenSSL-1.0.1g is linked to libssl-1.0.0, not the usual libssl-1.x.x format. Probably a make file error, but it really seems to be 1.0.1g. John = On Friday 18 April 2014 12:14:32 Christ

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz
Igor, On 4/17/14, 8:56 PM, Igor Cicimov wrote: > > On 18/04/2014 2:30 AM, "Hanno Böck" > wrote: >> >> On Thu, 17 Apr 2014 12:27:37 -0400 >> Christopher Schultz > wrote: >> >> > I'm trying to enable (and prefer!) ECDHE ciphers for clie

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Brett @Google
*16-November-2013 Changes with Apache 2.2.26 (legacy)* ASF changes: *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against OpenSSL 1.0.0b3. [Vipul Gupta, Sander Temme, Stefan Fritsch] So you need something at least 2.2.26 (the ECDH changes were backported from 2.4) We

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Igor Cicimov
On Fri, Apr 18, 2014 at 2:27 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > > I'm running httpd 2.2.23 on Amazon Linux. I read in the comments for > mos_ssl that httpd 2.2.24 is required for "TLSv1.2" to be specified > directly. Is that accurate? I can see in my Qualys test that

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Igor Cicimov
On 18/04/2014 2:30 AM, "Hanno Böck" wrote: > > On Thu, 17 Apr 2014 12:27:37 -0400 > Christopher Schultz wrote: > > > I'm trying to enable (and prefer!) ECDHE ciphers for clients that can > > support them. I've done the obvious: > [...] > > I'm running httpd 2.2.23 > > That's your problem. Get rid

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Christopher Schultz
Hanno, On 4/17/14, 12:29 PM, Hanno Böck wrote: > On Thu, 17 Apr 2014 12:27:37 -0400 > Christopher Schultz wrote: > >> I'm trying to enable (and prefer!) ECDHE ciphers for clients that can >> support them. I've done the obvious: > [...] >> I'm running httpd 2.2.23 > > That's your problem. Get ri

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Hanno Böck
On Thu, 17 Apr 2014 12:27:37 -0400 Christopher Schultz wrote: > I'm trying to enable (and prefer!) ECDHE ciphers for clients that can > support them. I've done the obvious: [...] > I'm running httpd 2.2.23 That's your problem. Get rid of that old cruft. You'll need apache 2.4 (for that and for m

[users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Christopher Schultz
All, I'm trying to enable (and prefer!) ECDHE ciphers for clients that can support them. I've done the obvious: SSLHonorCipherOrder Yes SSLProtocol ALL -SSLv2 SSLCipherSuite ECDHE:ECDH:..[other stuff] I have confirmed that, when running "openssl ciphers [stuff above]" that I get ECDHE ciphers li