13.8. Cipher Suites
The SSL protocol does not restrict clients and servers to a single encryption brew for the secure exchange of information. There are a number of possible cryptographic ingredients, but as in any cookpot, some ingredients go better together than others. The seriously interested can refer to Bruce Schneier's Applied Crytography ( John Wiley & Sons), in conjunction with the SSL specification (from http://www.netscape.com/). The list of cipher suites is in the SSLeay software at ... /ssl/ssl.h. The macro names give a better idea of what is meant than the text strings.
| SSLeay name | Config name | Keysize | EncryptedKeysize |
|---|---|---|---|
SSL3_TXT_RSA_IDEA_128_SHA |
IDEA-CBC-SHA | 128 | 128 |
SSL3_TXT_RSA_NULL_MD5 |
NULL-MD5 | 0 | 0 |
SSL3_TXT_RSA_NULL_SHA |
NULL-SHA | 0 | 0 |
SSL3_TXT_RSA_RC4_40_MD5 |
EXP-RC4-MD5 | 128 | 40 |
SSL3_TXT_RSA_RC4_128_MD5 |
RC4-MD5 | 128 | 128 |
SSL3_TXT_RSA_RC4_128_SHA |
RC4-SHA | 128 | 128 |
SSL3_TXT_RSA_RC2_40_MD5 |
EXP-RC2-CBC-MD5 | 128 | 40 |
SSL3_TXT_RSA_IDEA_128_SHA |
IDEA-CBC-MD5 | 128 | 128 |
SSL3_TXT_RSA_DES_40_CBC_SHA |
EXP-DES-CBC-SHA | 56 | 40 |
SSL3_TXT_RSA_DES_64_CBC_SHA |
DES-CBC-SHA | 56 | 56 |
SSL3_TXT_RSA_DES_192_CBC3_SHA |
DES-CBC3-SHA | 168 | 168 |
SSL3_TXT_DH_DSS_DES_40_CBC_SHA |
EXP-DH-DSS-DES-CBC-SHA | 56 | 40 |
SSL3_TXT_DH_DSS_DES_64_CBC_SHA |
DH-DSS-DES-CBC-SHA | 56 | 56 |
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA |
DH-DSS-DES-CBC3-SHA | 168 | 168 |
SSL3_TXT_DH_RSA_DES_40_CBC_SHA |
EXP-DH-RSA-DES-CBC-SHA | 56 | 40 |
SSL3_TXT_DH_RSA_DES_64_CBC_SHA |
DH-RSA-DES-CBC-SHA | 56 | 56 |
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA |
DH-RSA-DES-CBC3-SHA | 168 | 168 |
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA |
EXP-EDH-DSS-DES-CBC-SHA | 56 | 40 |
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA |
EDH-DSS-DES-CBC-SHA | 56 | |
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA |
EDH-DSS-DES-CBC3-SHA | 168 | 168 |
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA |
EXP-EDH-RSA-DES-CBC | 56 | 40 |
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA |
EDH-RSA-DES-CBC-SHA | 56 | 56 |
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA |
EDH-RSA-DES-CBC3-SHA | 168 | 168 |
SSL3_TXT_ADH_RC4_40_MD5 |
EXP-ADH-RC4-MD5 | 128 | 40 |
SSL3_TXT_ADH_RC4_128_MD5 |
ADH-RC4-MD5 | 128 | 128 |
SSL3_TXT_ADH_DES_40_CBC_SHA |
EXP-ADH-DES-CBC-SHA | 128 | 40 |
SSL3_TXT_ADH_DES_64_CBC_SHA |
ADH-DES-CBC-SHA | 56 | 56 |
SSL3_TXT_ADH_DES_192_CBC_SHA |
ADH-DES-CBC3-SHA | 168 | 168 |
SSL3_TXT_FZA_DMS_NULL_SHA |
FZA-NULL-SHA | 0 | 0 |
SSL3_TXT_FZA_DMS_RC4_SHA |
FZA-RC4-SHA | 128 | 128 |
MD5_1 |
DES-CFB-M1 | 56 | 56 |
SSL2_TXT_RC2_128_CBC_WITH_MD5 |
RC2-CBC-MD5 | 128 | 128 |
SSL2_TXT_DES_64_CBC_WITH_MD5 |
DES-CBC-MD5 | 56 | 56 |
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 |
DES-CBC3-MD5 | 168 | 168 |
SSL2_TXT_RC4_64_WITH_MD5 |
RC4-64-MD5 | 64 | 64 |
SSL2_TXT_NULL |
NULL | 0 | 0 |
For most purposes, the webmaster does not have to bother with all this, but some of the following directives need entries from this list.
13.8.1. SSLRequiredCiphers
SSLRequiredCiphers cipher list Server config, virtual host
This directive specifies a colon-separated list of cipher suites, used by SSLeay to limit what the client end can do. Possible suites are listed in the preceding section. This is a per-server option:
SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
13.8.2. SSLRequireCipher
SSLRequireCipher cipher list Server config, virtual host, .htaccess, directory
This directive specifies a space-separated list of cipher suites, used to verify the cipher after the connection is established. This is a per-directory option.
13.8.3. SSLBanCipher
SSLBanCipher <cipher list> Config, virtual, .htaccess, directory
This directive specifies a space-separated list of cipher suites, as per SSLRequire-Cipher, except it bans them. The logic is as follows: if banned, reject; if required, accept; if no required ciphers are listed, accept. For example:
SSLBanCipher NULL-MD5 NULL-SHA
It is sensible to ban these suites because they are test suites that actually do no encryption.