LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-12-2013, 09:25 AM   #1
dmj9876
LQ Newbie
 
Registered: Jul 2013
Posts: 3

Rep: Reputation: Disabled
Stupid question about SSL


I recently installed a cert into my web server for ssl however when I went to the site to confirm I noticed it was encrypted using 128-bit encryption. How do I get that changed to use 256-bit encryption?

The site is now trusted and verified which is great but I need it to use 256-bit encryption.

Amateur Hour
 
Old 07-12-2013, 09:57 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
the level of encryption is defined by the cipher suites the SSL layer uses. The server tells the client a list of ciphers it will use, and the client chooses one, as long as it can use one. if you remove any 128 bit cipher then the client will hqve to use a sstronger one (although generally speaking the client *should* use the strongest possible.

https://httpd.apache.org/docs/2.0/ss...tml#onlystrong

and note that while that link should be all you need, the cipher list they have does include 128 bit ciphers on most systems:

Code:
# openssl ciphers 'HIGH:!aNULL:!MD5'
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA
but they go on to block them too.... you can tailor that list to match your exact requriements easily enough.

Last edited by acid_kewpie; 07-12-2013 at 10:00 AM.
 
Old 07-12-2013, 12:06 PM   #3
dmj9876
LQ Newbie
 
Registered: Jul 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Gotcha thanks for your reply. Since i'm having issues with a web service integration I thought I would throw this out there in case you have any ideas. Client is assuming there is something wrong with our SSL cert. The cert is verified and trusted through symantec verisigned.

faultDetail:
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultString: java.io.IOException: Unable to decrypt message
faultActor: null

[7/10/13 21:17:29:441 IST] 00000026 JAXRPCHandler E com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandler$3 onFault WSWS3418E: Error: Exception generated during handler fault processing.
[7/10/13 21:17:29:300 IST] 00000026 SystemErr R javax.net.ssl.SSLException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[7/10/13 21:17:29:316 IST] 00000026 SystemErr R at
 
Old 07-15-2013, 12:42 AM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
Most likely, ummm, there is something wrong with your SSL-certificate configuration. During the initial "handshake" exchange in which the two sides establish the per-session cipher key, your certificate is being rejected ... and not because of signing or trust. It's going to turn out to be a configuration error.

Very carefully and very patiently repeat all of the setup instructions, carrying them out exactly as shown.
 
Old 07-16-2013, 06:21 PM   #5
DomSYMC
LQ Newbie
 
Registered: Jul 2013
Posts: 1

Rep: Reputation: Disabled
Lightbulb SSL Handshake.

SSL handshake is a two way street. You might want to use 256 cyphers, but can your client handle them? typically if your forcing certain cyphers and the client can handle them they will get connection issues with your SSL session. Certain systems on their end might be dated and not have 256 support. If you have your certificate along with your private key and are able to establish a connection using ping or some ssl checker and can see the certificate with that connection, yet they cannot... means they have an issue with the configuration.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
recovering "lost" users..... probably stupid question (stupid user.......) bigjohn Linux - Newbie 6 11-07-2009 07:51 PM
Stupid, stupid question; I lost Klaptop. :( Surfrider Slackware 2 08-31-2005 10:12 PM
Stupid Dumb Stupid Question... drigz Linux - Software 3 09-23-2004 04:09 PM
Another Stupid Question Bobmeister Linux - Hardware 3 05-26-2003 07:16 AM
Stupid question Cichlid General 2 01-09-2002 11:04 AM


All times are GMT -5. The time now is 10:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration