[openssl-users] explicitly including other ciphers.
swall at redcom.com
Thu Dec 3 21:32:47 UTC 2015
> What about openssl? (little confused here).. I would expect openssl
> being the one that needs to be rebuild, not apache.
As Viktor previously stated, openssl has the NULL ciphers built in by default. Your reply to Rich seemed to confirm that your version of openssl does include them:
>>>> but if I do a: openssl ciphers -v "ALL:eNULL" | grep eNULL
>>>> I don't see anything.
>>> Look for NULL, not eNULL. Or "Enc=None"
>> thanks! that seemed to work,
You further asked:
>> does that means, since there are NULL ciphers I can just use them in apache/mod_ssl by just changing a setting like:
>> SSLCipherSuite eNULL
>> in httpd.conf?
To which I responded "No". If mod_ssl were passing the SSLCipherSuite value straight through to openssl, the answer would have been yes. Unfortunately for you, mod_ssl manipulates the value of SSLCipherSuite to prevent NULL and export ciphers from being used. You need to rebuild Apache without that manipulation to use any NULL ciphers.
More information about the openssl-users