Return-Path: 
 <dev-return-82617-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 46B0818323
	for <apmail-httpd-dev-archive@www.apache.org>;
 Thu, 14 May 2015 22:59:07 +0000 (UTC)
Received: (qmail 58506 invoked by uid 500); 14 May 2015 22:59:06 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 58402 invoked by uid 500); 14 May 2015 22:59:06 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 58392 invoked by uid 99); 14 May 2015 22:59:06 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 May 2015 22:59:06 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 1B9CBC4F17
	for <dev@httpd.apache.org>; Thu, 14 May 2015 22:59:06 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-us-east.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id 82UNT9a_M-qv for <dev@httpd.apache.org>;
	Thu, 14 May 2015 22:58:57 +0000 (UTC)
Received: from mail-ie0-f176.google.com (mail-ie0-f176.google.com
 [209.85.223.176])
	by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with
 ESMTPS id 60AC742996
	for <dev@httpd.apache.org>; Thu, 14 May 2015 22:58:57 +0000 (UTC)
Received: by ieczm2 with SMTP id zm2so2358646iec.1
        for <dev@httpd.apache.org>; Thu, 14 May 2015 15:58:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=ykVRQy0Xy9UbWIuLIp5iJj+lI+94oZ1mnMDX9nbjgC0=;
        b=u7f+Yeb7i77RdJNnXBad7d9umF3MdqKCZO/iH38gH8I9HYbcYrMRwTwsqdjvZqfSCT
         llHPpbDagiOwtZnvQ7jrmV8lShNAQth9htWHodrNJzl7CPM7Iq/HE7xJg7nFch0V3HOB
         UajSJu+ylP/ls/zpJfByoIgd9QM4PjOXefvQzj7ANfLdjUWo47E8xo/UjfHIl1UWwM+c
         Sw/Ubn64Z9nf/ds9RCB/DObmlyH26B3Ur2YCqHQRXPpUTjwBDpl6HJDhxpwHwKKc7kJw
         QgAvVqsx99K4k9ksSe7OdLoaQNT+0y1X206MOrme18sSb1kygtCqyzhAoKosSAwMDunW
         sVRQ==
MIME-Version: 1.0
X-Received: by 10.50.21.1 with SMTP id r1mr6827888ige.46.1431644291716; Thu,
 14 May 2015 15:58:11 -0700 (PDT)
Received: by 10.79.71.4 with HTTP; Thu, 14 May 2015 15:58:11 -0700 (PDT)
In-Reply-To: 
 <CACsi252gkaxYz_REJiKTmP38T3=NGHKQgORCaJPB3+od6_-gqQ@mail.gmail.com>
References: <20150514184452.C748DAC0043@hades.apache.org>
	<CACsi252gkaxYz_REJiKTmP38T3=NGHKQgORCaJPB3+od6_-gqQ@mail.gmail.com>
Date: Fri, 15 May 2015 00:58:11 +0200
Message-ID: 
 <CAKQ1sVMgL7BU96B8LizpGQjG5ucFi3AQWRWeek4e8ejKGKa+TQ@mail.gmail.com>
Subject: Re: svn commit: r1679428 -
 /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
From: Yann Ylavic <ylavic.dev@gmail.com>
To: httpd <dev@httpd.apache.org>
Content-Type: text/plain; charset=UTF-8

Looks good to me, thanks!

I committed r1679470 in trunk and proposed a backport to 2.4.x (will
propose a v2 for my 2.2.x patch which is also concerned), since
SSL_DEFAULT_CIPHER_LIST (default when no SSL[Proxy]CipherSuite is
configured) does not include "!aNULL:!eNULL" for older OpenSSL
versions (though still supported).

On Thu, May 14, 2015 at 10:20 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> Proposed for backport on both 2.2 and 2.4 branches.
>
>
> On Thu, May 14, 2015 at 1:44 PM, <wrowe@apache.org> wrote:
>>
>> Author: wrowe
>> Date: Thu May 14 18:44:52 2015
>> New Revision: 1679428
>>
>> URL: http://svn.apache.org/r1679428
>> Log:
>> Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers
>>
>> Modified:
>>     httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
>>
>> Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1679428&r1=1679427&r2=1679428&view=diff
>>
>> ==============================================================================
>> --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
>> +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Thu May 14
>> 18:44:52 2015
>> @@ -43,22 +43,39 @@ Listen @@SSLPort@@
>>  ##
>>
>>  #   SSL Cipher Suite:
>> -#   List the ciphers that the client is permitted to negotiate.
>> -#   See the mod_ssl documentation for a complete list.
>> -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>> +#   List the ciphers that the client is permitted to negotiate,
>> +#   and that httpd will negotiate as the client of a proxied server.
>> +#   See the OpenSSL documentation for a complete list of ciphers, and
>> +#   ensure these follow appropriate best practices for this deployment.
>> +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
>> +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
>
>
> Here we simply drop RC4 as mentioned in RFC7525 (a MUST NOT), and extend the
> default list out to the proxy client behavior.
>
> The defaults for httpd-2.2 rely on ylavic's proposed 'mod_ssl: Improve
> handling of ephemeral DH and ECDH keys'... backport which addresses eNULL,
> aNULL and EXP in an unambiguous way.
>
>> -#   Speed-optimized SSL Cipher configuration:
>> -#   If speed is your main concern (on busy HTTPS servers e.g.),
>> -#   you might want to force clients to specific, performance
>> -#   optimized ciphers. In this case, prepend those ciphers
>> -#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
>> -#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
>> -#   (as in the example below), most connections will no longer
>> -#   have perfect forward secrecy - if the server's key is
>> -#   compromised, captures of past or future traffic must be
>> -#   considered compromised, too.
>> -#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
>> -#SSLHonorCipherOrder on
>
>
> This is, as we discussed, simply eliminating the speed-optimized
> suggestions, let the user look elsewhere for [frequently updated] guidance.
>
>>
>> +#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
>> +#  Older ciphers should be disallowed as soon as possible, while the
>> +#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
>> +#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
>> +#  non-browser tooling) from successfully connecting.
>> +#
>> +#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
>> +#  those protocols which do not support forward secrecy, replace
>> +#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
>> +#  the following two directives, as soon as practical.
>> +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
>> +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
>
>
> I used the !SSLv3 logic rather than explicitly calling out TLSv1.2 so we
> enjoy a better transition to TLSv1.3+.
>
> Since the proposal to suggest !kRSA is new, it deserves a brief word of
> explanation.  RSA cipher negotiation remains valid.  But signed RSA
> certificates must be exchanged using the ECDHE or ECDH in order to provide
> forward secrecy.  This was proposed by Mark Thomas after evaluating how the
> Qualys SSL test behaved, resulting in upgrading from an A- to an A (where he
> enabled only HIGH grade ciphers and omitted MEDIUM).  It is interesting that
> this wasn't part of their Dec '14 v1.4 guidance whitepaper, but I'm sure it
> will be clarified in future revisions.  Only IE8 on XP is called out as
> requiring Kx=RSA with TLSv1.2 by default.
>
> in httpd-2.2, we may also wish to explicitly disable SSLv2 - notably for
> 3DES ciphers, but at the moment this is accomplished with !EXP:!kRSA (and by
> not including LOW grade ciphers).  Just thinking that if the user enables
> kRSA they also may inadvertently re-allow 3DES which has only 112 effective
> bits of key strength, not the 168 claimed.
>
>> +#   User agents such as web browsers are not configured for the user's
>> +#   own preference of either security or performance, therefore this
>> +#   must be the prerogative of the web server administrator who manages
>> +#   cpu load versus confidentiality, so enforce the server's cipher
>> order.
>> +SSLHonorCipherOrder on
>
>
> This also relies on guidance from RFC7525
>
>>
>> +#   SSL Protocol support:
>> +#   List the protocol versions which clients are allowed to connect with.
>> +#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
>> +#   disabled as quickly as practical.  By the end of 2016, only the
>> TLSv1.2
>> +#   protocol or later should remain in use.
>> +SSLProtocol all -SSLv3
>> +SSLProxyProtocol all -SSLv3
>
>
> The httpd 2.2 proposal already committed drops SSLv2 as well.
>
> I am all on board to now start ripping SSLv3 protocol and default to only
> TLSv1.2 ciphers, on trunk, once this config backport has been reviewed and
> committed.
>
>