SSL S2S communication, protocol and ciphers

Question

about a server/server S2S communication:

1st server has on Apache .conf:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on

so, TLS1.2 only, taken from the Mozilla SSL generator (modern)

the 2nd server uses TLS1.0, TLS1.1, TLS1.2 and CBC ciphers in preferred order

eg. for TLS1.2

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

Questions are:

1) is the 1st SSLHonorCipherOrder on an issue? If both set it on, how the order is chosen?

2) at first, the handshake retrieves the protocol(s) used by both servers in order to choose the correct one?

3) why no errors on server log even if it should not work (i guess...)?

thanks

score 0 · Answer 1 · answered May 11 '17 at 00:05

0

For questions 1 and 2, it should not be a problem if that directive is set to on. It is an order to apache that says use the preferred ciphers in this order, the first match available will be used. In theory you should not get past TLS_RSA_WITH_AES_256_CBC_SHA256.

But if for some reason the handshake were to fail the next cipher could be used. I don't think you should get any log errors for this.

answered May 11 '17 at 00:05

jdopenvpn

126
6

thanks, but please better read the SSLCipherSuite of the 1st. The 2nd doesn't use those ciphers...and I'd like to understand why I had no errors on apache log – kenwarr May 11 '17 at 08:13

SSL S2S communication, protocol and ciphers

1 Answers1