httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: svn commit: r1679428 - /httpd/httpd/trunk/docs/conf/extra/
Date Thu, 14 May 2015 20:20:22 GMT
Proposed for backport on both 2.2 and 2.4 branches.

On Thu, May 14, 2015 at 1:44 PM, <> wrote:

> Author: wrowe
> Date: Thu May 14 18:44:52 2015
> New Revision: 1679428
> URL:
> Log:
> Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers
> Modified:
>     httpd/httpd/trunk/docs/conf/extra/
> Modified: httpd/httpd/trunk/docs/conf/extra/
> URL:
> ==============================================================================
> --- httpd/httpd/trunk/docs/conf/extra/ (original)
> +++ httpd/httpd/trunk/docs/conf/extra/ Thu May 14
> 18:44:52 2015
> @@ -43,22 +43,39 @@ Listen @@SSLPort@@
>  ##
>  #   SSL Cipher Suite:
> -#   List the ciphers that the client is permitted to negotiate.
> -#   See the mod_ssl documentation for a complete list.
> +#   List the ciphers that the client is permitted to negotiate,
> +#   and that httpd will negotiate as the client of a proxied server.
> +#   See the OpenSSL documentation for a complete list of ciphers, and
> +#   ensure these follow appropriate best practices for this deployment.
> +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
> +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4

Here we simply drop RC4 as mentioned in RFC7525 (a MUST NOT), and extend
the default list out to the proxy client behavior.

The defaults for httpd-2.2 rely on ylavic's proposed 'mod_ssl: Improve
handling of ephemeral DH and ECDH keys'... backport which addresses eNULL,
 aNULL and EXP in an unambiguous way.

-#   Speed-optimized SSL Cipher configuration:
> -#   If speed is your main concern (on busy HTTPS servers e.g.),
> -#   you might want to force clients to specific, performance
> -#   optimized ciphers. In this case, prepend those ciphers
> -#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
> -#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
> -#   (as in the example below), most connections will no longer
> -#   have perfect forward secrecy - if the server's key is
> -#   compromised, captures of past or future traffic must be
> -#   considered compromised, too.
> -#SSLHonorCipherOrder on

This is, as we discussed, simply eliminating the speed-optimized
suggestions, let the user look elsewhere for [frequently updated] guidance.

> +#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
> +#  Older ciphers should be disallowed as soon as possible, while the
> +#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
> +#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
> +#  non-browser tooling) from successfully connecting.
> +#
> +#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
> +#  those protocols which do not support forward secrecy, replace
> +#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
> +#  the following two directives, as soon as practical.
> +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
> +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

I used the !SSLv3 logic rather than explicitly calling out TLSv1.2 so we
enjoy a better transition to TLSv1.3+.

Since the proposal to suggest !kRSA is new, it deserves a brief word of
explanation.  RSA cipher negotiation remains valid.  But signed RSA
certificates must be exchanged using the ECDHE or ECDH in order to provide
forward secrecy.  This was proposed by Mark Thomas after evaluating how the
Qualys SSL test behaved, resulting in upgrading from an A- to an A (where
he enabled only HIGH grade ciphers and omitted MEDIUM).  It is interesting
that this wasn't part of their Dec '14 v1.4 guidance whitepaper, but I'm
sure it will be clarified in future revisions.  Only IE8 on XP is called
out as requiring Kx=RSA with TLSv1.2 by default.

in httpd-2.2, we may also wish to explicitly disable SSLv2 - notably for
3DES ciphers, but at the moment this is accomplished with !EXP:!kRSA (and
by not including LOW grade ciphers).  Just thinking that if the user
enables kRSA they also may inadvertently re-allow 3DES which has only 112
effective bits of key strength, not the 168 claimed.

+#   User agents such as web browsers are not configured for the user's
> +#   own preference of either security or performance, therefore this
> +#   must be the prerogative of the web server administrator who manages
> +#   cpu load versus confidentiality, so enforce the server's cipher order.
> +SSLHonorCipherOrder on

This also relies on guidance from RFC7525

> +#   SSL Protocol support:
> +#   List the protocol versions which clients are allowed to connect with.
> +#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
> +#   disabled as quickly as practical.  By the end of 2016, only the
> TLSv1.2
> +#   protocol or later should remain in use.
> +SSLProtocol all -SSLv3
> +SSLProxyProtocol all -SSLv3

The httpd 2.2 proposal already committed drops SSLv2 as well.

I am all on board to now start ripping SSLv3 protocol and default
to only TLSv1.2 ciphers, on trunk, once this config backport has been
reviewed and committed.

View raw message