[Ach] Disabling anonymous ciphers

Adi Kriegisch adi at kriegisch.at
Tue Jan 7 09:35:45 CET 2014

> Win XP is not supported due to missing "save" chiphers.
> That is a little bit hidden in the documentation:
>   https://bettercrypto.org/static/applied-crypto-hardening.pdf#page.16
> A nice redirect to an "explaination side" instead of a browser error
> message would be nice ... does someone have an idea how to achieve
> that, e.g. in apache?
This is quite easily possible and has been discussed on the list before:
WinXP (as well as Java6) does not support SNI[1]; using that fact it should be
possible to provide a default virtual host with all/most ciphers enabled
explaining the issue to the user and the main site in another virtual host
(that is not the default one, of course).
Btw. it is WinXPs crypto stack that does not implement any other ciphers;
so the issue does not only affect IE but also Outlook and anything that
uses XPs crypto stack.

-- Adi

[1] http://en.wikipedia.org/wiki/Server_Name_Indication
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140107/4a6fdd30/attachment.sig>

More information about the Ach mailing list