Name

SSLCipherSuite

Synopsis

                     SSLCipherSuite 
                     cipher_spec
                  

[server config, within <VirtualHost> or <Directory>, or .htaccess]

This directive combines a number of cipher specifications to configure the Cipher Suite. The Cipher Suite is the set of methods or algorithms used by the server and client to establish secure communications. The cipher suite is negotiated during the handshake phase, just after a client sends an SSL request. The cipher_spec provided by this directive lists a set of methods that the server will support for a request. The client and server negotiate the most common and preferred methods in this list to use for transactions.

The cipher_spec is a rather complex string that requires at least one declaration for each of the following: a key exchange algorithm, an authentication algorithm, a cipher or encryption algorithm, and MAC digest algorithm. You can additionally declare an export cipher. There are many different tags for specific ciphers that can be combined for the cipher spec. Certain alias tags have been defined to group ciphers into specific sets that comprise certain protocols and levels of security. Table 19-2 lists the alias tags.

Table 19-2. Cipher tag aliases

Tag

Description

SSLv2

All SSL 2.0 ciphers

SSLv3

All SSL 3.0 ciphers

TLSv1

All TLS 1.0 ciphers

EXP

All export ciphers

EXPORT40

40-bit export ciphers only

EXPORT56

56-bit export ciphers only

LOW

All low strength ciphers (no export, single DES)

MEDIUM

All ciphers with ...

Get Webmaster in a Nutshell, Third Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.