httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: Improving SSL config
Date Fri, 07 Oct 2011 05:10:25 GMT
On 10/7/2011 12:05 AM, Kaspar Brand wrote:
> On 06.10.2011 10:58, Rainer Jung wrote:
>> On 02.10.2011 09:07, William A. Rowe Jr. wrote:
>>> -1 in this respect; faster is not more secure.  We must default to setting
>>> the strictest cipher choices, with a commented-out "this is faster, but far
>>> less secure" alternative for those with less targeted assets.
>>> If someone is enabling mod_ssl, it is to secure their traffic, not to speed
>>> up their server.
>>> And no, MD4, although immune to *this* vector, is simply not preferable.
>> Our current 2.2.x SSLCipherSuite contains e.g. SSLv2 and export ciphers.
>> So there is a need to improve. My suggestion is a straight backport from
>> trunk.
>> So what is the "strictest cipher choice" you suggest?
> Assuming s/MD4/RC4/ in Bill's message, it seems that
>   SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
> would be more appropriate for mod_ssl's default config.
> I agree that the current SSLCipherSuite default in 2.2.x should be
> improved (yes, right now it even includes suites with 40-bit
> encryption!), but giving specific precedence to RC4-SHA and AES128-SHA
> doesn't really feel right for a default config file. [1]
> Kaspar
> [1] in trunk, the SSLCipherSuite change in r966160 was inspired by
>, which
> is basically favoring speed over cryptographic strength.

Exactly... we should default to a server with a preference for cryptographic
strength, but I have no objection to offering a commented-out, clearly
documented 'alternative' configuration favoring performance, provided that
is clearly labeled as 'not for sensitive data'.

View raw message