httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Improving SSL config
Date Fri, 18 Nov 2011 05:32:24 GMT
On 15.11.2011 19:48, Philip M. Gollucci wrote:
> On 11/14/11 17:41, Kaspar Brand wrote:
>> On 14.11.2011 15:46, William A. Rowe Jr. wrote:
>>> Isn't it similarly time to deploy SSLProtocol -SSLv2 by default?
>>
>> Oh yes, definitely. I didn't realize that "all" is still the default for
>> SSLProtocol... for trunk and 2.4, I would suggest to change the defaults
>> in the code. In decreasing order of preference:
>>
>> - completely drop SSLv2 support
>>
>> - change the default (in modssl_ctx_init) to
>>   SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV2
>>
>> The first option also means that we would "comply" with RFC 6176 (in
>> case someone complains about mod_ssl dropping support for a clearly
>> outdated and insecure protocol).
>>
>> Kaspar
>>
> 
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
> 
> Is the PCI compliant line should we change it, it should be to this.

The PCI DSS requirements aren't that specific on protocol or cipher
selection, actually (at least not in v2.0 - unless I'm completely
missing something in that document).

As I can't think of any good reason why a new major version of an HTTPS
server released in late 2011 should still support insecure SSL protocol
cruft from the 1990s (v2 was superseded about 15 years ago, when SSLv3
was introduced), I went for the first option and completely dropped
SSLv2 support with r1203491/r1203495 in trunk and 2.4, respectively.

For the SSLProtocol directive, specifying "-SSLv2" is still permitted,
but basically just for backward compatibility with the relatively
popular "SSLProtocol all -SSLv2" incantation (technically, the code
simply ignores "-SSLv2", as it is now always forced to off).

Kaspar

Mime
View raw message