[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modssl
Subject:    Re: Which SSL Directives to use?
From:       Crypto Sal <crypto.sal () gmail ! com>
Date:       2010-02-17 13:39:07
Message-ID: 4B7BF17B.3070300 () gmail ! com
[Download RAW message or body]

On 02/17/2010 02:08 AM, NT984 wrote:
> I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL
> Cert on my site. My existing configuration uses the following directives:
>
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
> SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert
> SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
> SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt
>
> In the Network Solutions instructions, it recommends using the following:
> SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
> SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt
>
> In the  http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl
> documentation , it states the following:
>
> SSLCertificateChainFile
> This should be used alternatively and/or additionally to
> SSLCACertificatePath  for explicitly constructing the server certificate
> chain which is sent to the browser in addition to the server certificate. It
> is especially useful to avoid conflicts with CA certificates when using
> client authentication. Because although placing a CA certificate of the
> server certificate chain into SSLCACertificatePath  has the same effect for
> the certificate chain construction, it has the side-effect that client
> certificates issued by this same CA certificate are also accepted on client
> authentication.
>
> Example:
> SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
>
> SSLCACertificateFile
> This directive sets the all-in-one file where you can assemble the
> Certificates of Certification Authorities (CA) whose clients you deal with.
> These are used for Client Authentication. Such a file is simply the
> concatenation of the various PEM-encoded Certificate files, in order of
> preference. This can be used alternatively and/or additionally to
> SSLCACertificatePath.
>
> Example
> SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
>
>
> My question is... should I include both directives in my configuration? Is
> there an advantage to doing so?  Now that I am upgrading, do I need to
> consider modification of my SSLCipherSuite setting?
>
> Any help would be appreciated.
>
> Thx. nt
>    


NT,

You should use SSLCertificateChainFile if you're on Apache2.2. If you're 
on Apache 1.x, then typically you'll want to use SSLCACertificateFile. 
In Apache2, SSLCACertificate file is for Client Authentication, whereas 
in earlier versions it was for CertificateAuthority. Earlier versions of 
Apache 2.0 were able to use both interchangeably. Do not use both at the 
same time. Only if you're doing Client Authentication.

As far as your cipher suite goes... You'll also want to disable MD5 
based ciphers. (Opera 9.x will warn of weak ciphers in use as there are 
a few MD5 based in SSLv3/TLSv1.x)

Hope this helps,

--Sal



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majordomo@modssl.org
[prev in list] [next in list] [prev in thread] [next in thread]