httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Improving SSL config
Date Thu, 06 Oct 2011 10:28:59 GMT
On 06.10.2011 10:58, Rainer Jung wrote:
> Hi Bill,
> 
> On 02.10.2011 09:07, William A. Rowe Jr. wrote:
>> On 9/29/2011 9:31 AM, Rainer Jung wrote:
>>> In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389) I suggest
>>> we update our SSL configuration analogous to what's in trunk.
>>>
>>> - Choose a better default SSLCipherSuite
>>> - Add SSLHonorCipherOrder
>>> - restrict MSIE exceptions to MSIE 2-5
>>
>> -1 in this respect; faster is not more secure.  We must default to setting
>> the strictest cipher choices, with a commented-out "this is faster, but far
>> less secure" alternative for those with less targeted assets.
>>
>> If someone is enabling mod_ssl, it is to secure their traffic, not to speed
>> up their server.
>>
>> And no, MD4, although immune to *this* vector, is simply not preferable.
> 
> Our current 2.2.x SSLCipherSuite contains e.g. SSLv2 and export ciphers.
> So there is a need to improve. My suggestion is a straight backport from
> trunk.
> 
> So what is the "strictest cipher choice" you suggest?

I might have misunderstood you. Are you only worried about *activating*
SSLHonorCipherOrder? Note that in trunk and as proposed here the
corresponding comment and config block is commented, so not active by
default. See my original post.

Regards,

Rainer


Mime
View raw message