httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1497156 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS docs/conf/ssl-std.conf.in docs/manual/ssl/ssl_howto.html.en docs/manual/ssl/ssl_howto.xml
Date Thu, 27 Jun 2013 00:10:16 GMT
Author: wrowe
Date: Thu Jun 27 00:10:15 2013
New Revision: 1497156

URL: http://svn.apache.org/r1497156
Log:
Change the SSLCipherSuite default to a shorter, whitelist oriented 
definition.

Disable AECDH ciphers in example config by using !aNULL (which includes
all ciphers without authentication.

PR: 51363
Submitted by: rjung, kbrand, Rob Stradling <rob comodo com>
Backports: r966160, r1135234, r1203752 

Fix up some SSL configuration, per issue #49484. IE6 had a hotfix released
for this problem quite a while back (see kb 921090), so restrict the
modified behavior to the old/unsupported browsers.
* docs/conf/extra/http-ssl.conf.in:
  (): tighten up the regex to only select old MSIE browsers for the
    downgrade in http behavior. this allows IE6 to run much faster.
* Make the MSIE BrowserMatch regexp fit for MSIE 10. Remove useless '.*'

Backports: r966055, r1132793
Submitted by: gstein, sf

Reviewed by: wrowe, rjung, gsmith

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/docs/conf/ssl-std.conf.in
    httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.html.en
    httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.xml

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1497156&r1=1497155&r2=1497156&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu Jun 27 00:10:15 2013
@@ -73,6 +73,15 @@ Changes with Apache 2.0.65
   *) Improve platform detection for bundled PCRE by updating config.guess
      and config.sub.  [Rainer Jung]
 
+  *) ssl-std.conf: Disable AECDH ciphers in example config. PR 51363.
+     [Rob Stradling <rob comodo com>]
+
+  *) ssl-std.conf: Change the SSLCipherSuite default to a shorter,
+     whitelist oriented definition.  [Rainer Jung, Kaspar Brand]
+
+  *) ssl-std.conf: Only select old MSIE browsers for the downgrade
+     in http/https behavior.  [Greg Stein, Stefan Fritsch]
+
 Changes with Apache 2.0.64
 
   *) SECURITY: CVE-2010-1452 (cve.mitre.org)

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1497156&r1=1497155&r2=1497156&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu Jun 27 00:10:15 2013
@@ -124,12 +124,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     identify exactly what the proposed changes are!  Add all new
     proposals to the end of this list. ]
 
-   * Alternate: -SSLv2, Simplify SSLCipherSuite, corresponding docs fix,
-     MSIE downgrade changes
-     r966160, r1135234, r1203752, r966055, r1132793
-     http://people.apache.org/~wrowe/https-std-2.0.patch
-     +1: wrowe, rjung, gsmith
-
 
 PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
 

Modified: httpd/httpd/branches/2.0.x/docs/conf/ssl-std.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/conf/ssl-std.conf.in?rev=1497156&r1=1497155&r2=1497156&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/conf/ssl-std.conf.in (original)
+++ httpd/httpd/branches/2.0.x/docs/conf/ssl-std.conf.in Thu Jun 27 00:10:15 2013
@@ -93,10 +93,15 @@ TransferLog @exp_logfiledir@/access_log
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
+#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to
+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -231,7 +236,7 @@ SSLCertificateKeyFile @exp_sysconfdir@/s
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
+SetEnvIf User-Agent "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 

Modified: httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.html.en?rev=1497156&r1=1497155&r2=1497156&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.html.en (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.html.en Thu Jun 27 00:10:15 2013
@@ -69,10 +69,10 @@ without knowing its restrictions and coh
 <h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which
accepts strong encryption
 only?</a></h3>
 
-    <p>The following enables only the seven strongest ciphers:</p>
+    <p>The following enables only the strongest ciphers:</p>
     <div class="example"><h3>httpd.conf</h3><p><code>
-      SSLProtocol all<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLProtocol all -SSLv2<br />
+      SSLCipherSuite HIGH:!aNULL:!MD5<br />
     </code></p></div>
 
 
@@ -119,7 +119,7 @@ URL?</a></h3>
       &lt;Location /strong/area&gt;<br />
       # but https://hostname/strong/area/ and below<br />
       # requires strong ciphers<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLCipherSuite HIGH:!aNULL:!MD5<br />
       &lt;/Location&gt;
     </code></p></div>
 

Modified: httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.xml?rev=1497156&r1=1497155&r2=1497156&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/ssl/ssl_howto.xml Thu Jun 27 00:10:15 2013
@@ -65,10 +65,10 @@ without knowing its restrictions and coh
 <section id="onlystrong">
 <title>How can I create an SSL server which accepts strong encryption
 only?</title>
-    <p>The following enables only the seven strongest ciphers:</p>
+    <p>The following enables only the strongest ciphers:</p>
     <example><title>httpd.conf</title>
-      SSLProtocol all<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLProtocol all -SSLv2<br />
+      SSLCipherSuite HIGH:!aNULL:!MD5<br />
     </example>
 </section>
 
@@ -116,7 +116,7 @@ URL?</title>
       &lt;Location /strong/area&gt;<br />
       # but https://hostname/strong/area/ and below<br />
       # requires strong ciphers<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLCipherSuite HIGH:!aNULL:!MD5<br />
       &lt;/Location&gt;
     </example>
 </section>



Mime
View raw message