httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Improving SSL config
Date Thu, 06 Oct 2011 10:28:59 GMT
On 06.10.2011 10:58, Rainer Jung wrote:
> Hi Bill,
> On 02.10.2011 09:07, William A. Rowe Jr. wrote:
>> On 9/29/2011 9:31 AM, Rainer Jung wrote:
>>> In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389) I suggest
>>> we update our SSL configuration analogous to what's in trunk.
>>> - Choose a better default SSLCipherSuite
>>> - Add SSLHonorCipherOrder
>>> - restrict MSIE exceptions to MSIE 2-5
>> -1 in this respect; faster is not more secure.  We must default to setting
>> the strictest cipher choices, with a commented-out "this is faster, but far
>> less secure" alternative for those with less targeted assets.
>> If someone is enabling mod_ssl, it is to secure their traffic, not to speed
>> up their server.
>> And no, MD4, although immune to *this* vector, is simply not preferable.
> Our current 2.2.x SSLCipherSuite contains e.g. SSLv2 and export ciphers.
> So there is a need to improve. My suggestion is a straight backport from
> trunk.
> So what is the "strictest cipher choice" you suggest?

I might have misunderstood you. Are you only worried about *activating*
SSLHonorCipherOrder? Note that in trunk and as proposed here the
corresponding comment and config block is commented, so not active by
default. See my original post.



View raw message