httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1203753 - in /httpd/httpd/branches/2.4.x: CHANGES docs/conf/extra/httpd-ssl.conf.in docs/manual/ssl/ssl_howto.xml
Date Fri, 18 Nov 2011 17:18:32 GMT
Author: kbrand
Date: Fri Nov 18 17:18:31 2011
New Revision: 1203753

URL: http://svn.apache.org/viewvc?rev=1203753&view=rev
Log:
merge r1203752 from trunk:

Change the SSLCipherSuite default to a shorter, whitelist
oriented definition, and add an example for a speed-optimized
configuration (commented out by default).

In the SSL How-To, streamline the SSLCipherSuite examples where
applicable (explicitly banning EXP and NULL is not needed when
only HIGH is specified).

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in
    httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1203753&r1=1203752&r2=1203753&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Nov 18 17:18:31 2011
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.0
 
+  *) mod_ssl: use a shorter setting for SSLCipherSuite in the default
+     default configuration file, and add some more information about
+     configuring a speed-optimized alternative.
+     [Kaspar Brand]
+
   *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
 
   *) mod_lua: Stop losing track of all but the most specific LuaHook* directives

Modified: httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in?rev=1203753&r1=1203752&r2=1203753&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-ssl.conf.in Fri Nov 18 17:18:31 2011
@@ -48,12 +48,19 @@ Listen @@SSLPort@@
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
-#   SSL Cipher Honor Order:
-#   On a busy HTTPS server you may want to enable this directive
-#   to force clients to use one of the faster ciphers like RC4-SHA
-#   or AES128-SHA in the order defined by SSLCipherSuite.
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
 #SSLHonorCipherOrder on 
 
 #   Pass Phrase Dialog:

Modified: httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml?rev=1203753&r1=1203752&r2=1203753&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/ssl/ssl_howto.xml Fri Nov 18 17:18:31 2011
@@ -66,21 +66,17 @@ requires a strong cipher for access to a
 only?</title>
     <p>The following enables only the strongest ciphers:</p>
     <example><title>httpd.conf</title>
-      SSLProtocol all -SSLv2<br />
-      SSLCipherSuite HIGH:!aNULL:!EXP:!MD5:!NULL<br />
+      SSLCipherSuite HIGH:!aNULL:!MD5<br />
     </example>
 
-    <p>While with the following configuration you enable two ciphers
-    which are resonably secure, and fast:</p>
+    <p>While with the following configuration you specify a preference
+    for specific speed-optimized ciphers (which will be selected by
+    mod_ssl, provided that they are supported by the client):</p>
 
     <example><title>httpd.conf</title>
-      SSLProtocol all -SSLv2<br />
-      SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!EXP:!MD5:!NULL<br />
+      SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5<br />
       SSLHonorCipherOrder on
     </example>
-
-    <p>This strongly reflects the default value of <directive module="mod_ssl"
-    >SSLCipherSuite</directive> and is the recommanded way to configure it.</p>
 </section>
 
 <section id="strongurl">
@@ -101,7 +97,7 @@ URL?</title>
       &lt;Location /strong/area&gt;<br />
       # but https://hostname/strong/area/ and below<br />
       # requires strong ciphers<br />
-      SSLCipherSuite HIGH:!aNULL:!EXP:!MD5:!NULL<br />
+      SSLCipherSuite HIGH:!aNULL:!MD5<br />
       &lt;/Location&gt;
     </example>
 </section>



Mime
View raw message