httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1227293 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/conf/extra/httpd-ssl.conf.in
Date Wed, 04 Jan 2012 20:10:40 GMT
Author: sf
Date: Wed Jan  4 20:10:40 2012
New Revision: 1227293

URL: http://svn.apache.org/viewvc?rev=1227293&view=rev
Log:
mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern)

Reviewed by: Kaspar Brand, Rainer Jung, Joe Orton

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1227293&r1=1227292&r2=1227293&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jan  4 20:10:40 2012
@@ -14,6 +14,10 @@ Changes with Apache 2.2.22
   *) mod_log_config: Fix segfault when logging nameless, valueless cookie.
      PR 52256. [Stefan Fritsch]
 
+  *) config: Update the default mod_ssl configuration: Disable SSLv2, only
+     allow >= 128bit ciphers, add commented example for speed optimized cipher
+     list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
+
   *) core: Fix segfault in ap_send_interim_response(). PR 52315.
      [Stefan Fritsch]
 

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1227293&r1=1227292&r2=1227293&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jan  4 20:10:40 2012
@@ -99,14 +99,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     http://people.apache.org/~jfclere/patches/ajp_timeout.patch
     +1: jfclere, rjung, rpluem
 
-  * mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern)
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1132793
-                 http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1203752&r1=1203751&r2=1203752&view=diff
-    2.2.x patch: http://people.apache.org/~kbrand/mod_ssl_config_defaults-2.2.x.patch
-    (disabling SSLv2 in SSLProtocol is only required for 2.2.x, since trunk
-     and 2.4.x no longer support this version, see r1203491 and r1203495)
-    +1: kbrand (non-binding), rjung, jorton
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1227293&r1=1227292&r2=1227293&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Wed Jan  4 20:10:40 2012
@@ -84,11 +84,29 @@ TransferLog "@exp_logfiledir@/access_log
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
+#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to
+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+ 
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
@@ -218,7 +236,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
-BrowserMatch ".*MSIE.*" \
+BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 



Mime
View raw message