Mailing List Archive: Apache: Dev

[PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration

Index | Next | Previous | View Threaded

lars at apache

Nov 6, 2009, 1:04 PM

Post #1 of 5 (574 views)
Permalink

[PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration

Hi,

I would like to propose the attached patch for inclusion in 2.2
(I'll commit to trunk soon unless I'm getting any -1s in response to
this email).

cheers...
--
Lars Eilebrecht
lars [at] apache

Attachments:

modssl.patch (1.16 KB)

rainer.jung at kippdata

Nov 6, 2009, 1:31 PM

Post #2 of 5 (532 views)
Permalink

Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]

On 06.11.2009 22:04, Lars Eilebrecht wrote:
> Hi,
>
> I would like to propose the attached patch for inclusion in 2.2
> (I'll commit to trunk soon unless I'm getting any -1s in response to
> this email).

Using the openssl ciphers command the new cipher string resolves to

ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
EDH-RSA-DES-CBC3-SHA
EXP-EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC3-SHA
EXP-EDH-DSS-DES-CBC-SHA
DES-CBC3-SHA
EXP-DES-CBC-SHA
IDEA-CBC-SHA
RC4-SHA

The old one additionaly contains:

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
DES-CBC3-MD5
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-MD5
DES-CBC-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Because of the EXP- ciphers still contained in the new one, we might add
!EXPORT:

ALL:!ADH:!EXPORT:!LOW:!MD5:!SSLV2:!NULL

Regards,

Rainer

jorton at redhat

Nov 6, 2009, 1:53 PM

Post #3 of 5 (534 views)
Permalink

Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]

On Fri, Nov 06, 2009 at 01:04:01PM -0800, Lars Eilebrecht wrote:
> I would like to propose the attached patch for inclusion in 2.2 (I'll
> commit to trunk soon unless I'm getting any -1s in response to this
> email).

Looks good - thanks! I agree with Rainer that we can/should disable
export ciphers now too, I think.

Regards, Joe

lars at eilebrecht

Nov 6, 2009, 1:54 PM

Post #4 of 5 (536 views)
Permalink

Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]

Rainer Jung wrote on 2009-11-06 22:31:55:

> Because of the EXP- ciphers still contained in the new one, we might
> add !EXPORT:
>
> ALL:!ADH:!EXPORT:!LOW:!MD5:!SSLV2:!NULL

Thanks for catching this Rainer. I was assuming that !LOW removes
export ciphers as well.

cheers...
--
Lars Eilebrecht
lars [at] eilebrecht

mads at toftum

Nov 6, 2009, 1:55 PM

Post #5 of 5 (528 views)
Permalink

Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]

On Fri, Nov 06, 2009 at 01:04:01PM -0800, Lars Eilebrecht wrote:
> I would like to propose the attached patch for inclusion in 2.2
> (I'll commit to trunk soon unless I'm getting any -1s in response to
> this email).
>
> -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> +SSLCipherSuite ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
>
Big +1 from the peanut gallery - this has been an annoyance for quite
some time after browsers got pickier. I think Rainer is right that we
might as well drop export ciphers also.

vh

Mads Toftum
--
http://soulfood.dk

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads