translates into a preferred list of ciphers that begins with all ciphers using RC4 as the encryption
algorithm, followed by all cipher suites except the eNULL ciphers (ALL). The final
!DH
string means that all cipher suites containing the DH (Diffie-Hellman) cipher are removed from
the list. (Few of the major web browsers support these ciphers.)
Modifying a Cipher List
Starting from the
RC4:ALL:!DH
cipher list, an example of a slightly modified cipher list can be:
RC4:ALL:!EXPORT:!DH
This example will remove all EXPORT ciphers, besides the DH related cipher suites. Removing
the EXPORT ciphers means that all ciphers using either 40 or 56 bits symmetric ciphers are
removed from the list. This means that browsers running export controlled crypto software
cannot access the server.
Using the OpenSSL command line tool (on a UNIX machine), it is possible to check which
cipher suites a particular cipher list corresponds to. The preceding example yields the following
output:
Supported Cipher Strings and Meanings
The following table lists each supported cipher string alias and its significance.
User Guide
Modifying a Cipher List
April 2013
159