httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Improving SSL config
Date Thu, 29 Sep 2011 14:31:34 GMT
In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389) I suggest
we update our SSL configuration analogous to what's in trunk.

- Choose a better default SSLCipherSuite
- Add SSLHonorCipherOrder
- restrict MSIE exceptions to MSIE 2-5

The patch looks like this:

svn diff docs/conf/extra/httpd-ssl.conf.in
Index: docs/conf/extra/httpd-ssl.conf.in
===================================================================
--- docs/conf/extra/httpd-ssl.conf.in   (revision 1177244)
+++ docs/conf/extra/httpd-ssl.conf.in   (working copy)
@@ -87,8 +87,14 @@
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL

+#   SSL Cipher Honor Order:
+#   On a busy HTTPS server you may want to enable this directive
+#   to force clients to use one of the faster ciphers like RC4-SHA
+#   or AES128-SHA in the order defined by SSLCipherSuite.
+#SSLHonorCipherOrder onĀ·
+
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
@@ -218,7 +224,7 @@
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
-BrowserMatch ".*MSIE.*" \
+BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0

Furthermore I wonder whether we should activate the SSLHonorCipherOrder
in this config by default - at least for trunk. At the moment it is
commented out.

For 2.2.x it is possible people use OpenSSL older than 0.9.6 and the
directive will not work then.

We might even backport the change to SSLCipherSuite and the MSIE
exceptions to 2.0.

Any comments on:

- Updating 2.2?
- Activating SSLHonorCipher in trunk?
- Updating 2.0?

Regards,

Rainer


Mime
View raw message