httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Gearls <nickgea...@gmail.com>
Subject Re: Improving SSL config
Date Thu, 17 Nov 2011 12:18:13 GMT
Isn't it safer to only accept explicit entries, like

SSLCipherSuite -ALL:RC4-SHA:AES128-SHA:TLSv1+HIGH:SSLv3+HIGH:-aNULL
SSLProtocol    -ALL +SSLv3 +TLSv1

Nick

On 13/11/2011 11:47, Kaspar Brand wrote:
> On 07.10.2011 07:10, William A. Rowe Jr. wrote:
>> Exactly... we should default to a server with a preference for cryptographic
>> strength, but I have no objection to offering a commented-out, clearly
>> documented 'alternative' configuration favoring performance, provided that
>> is clearly labeled as 'not for sensitive data'.
> Now that the dust after the "BEAST" bang has settled somewhat (and
> it's clear that it needs to / will be fixed on the client side [1][2][3]),
> I think it's a good time to revisit the default setting for
> SSLCipherSuite - at least for trunk and 2.4.
>
> My proposal is something like the attached patch - thoughts, objections?
>
> Kaspar
>
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=665814
> [2] http://codereview.chromium.org/7621002/
> [3] http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue

Mime
View raw message