Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

[UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


lars at apache

Nov 6, 2009, 3:19 PM

Post #1 of 7 (202 views)
Permalink
[UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration
Hi,

attached is a slightly different patch, it includes "!EXP" and I've
moved the directive out of the vhost into the main server config
(there's not reason to duplicate the config for each vhost).

In addition I've added "RC4-SHA:AES128-SHA" to the beginning of the
list which doesn't make a difference unless SSLCipherHonorOrder is
enabled which I've included as an example in the config (disabled by
default).

cheers...
--
Lars Eilebrecht
lars[at]apache.org
Attachments: modssl_2.patch (2.06 KB)


rpluem at apache

Nov 6, 2009, 3:29 PM

Post #2 of 7 (191 views)
Permalink
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]
On 11/07/2009 12:19 AM, Lars Eilebrecht wrote:
> Hi,
>
> attached is a slightly different patch, it includes "!EXP" and I've
> moved the directive out of the vhost into the main server config
> (there's not reason to duplicate the config for each vhost).
>
> In addition I've added "RC4-SHA:AES128-SHA" to the beginning of the
> list which doesn't make a difference unless SSLCipherHonorOrder is
> enabled which I've included as an example in the config (disabled by
> default).
>
> cheers...
>
> @@ -212,9 +218,9 @@
> # Similarly, one has to force some clients to use HTTP/1.0 to workaround
> # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
> # "force-response-1.0" for this.
> -BrowserMatch ".*MSIE.*" \
> - nokeepalive ssl-unclean-shutdown \
> - downgrade-1.0 force-response-1.0
> +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> + downgrade-1.0 force-response-1.0
> +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a

Do we really know that IE >= 6 do not need these additional options any longer?

Regards

Rüdiger


jorton at redhat

Nov 6, 2009, 3:57 PM

Post #3 of 7 (191 views)
Permalink
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]
On Fri, Nov 06, 2009 at 03:19:12PM -0800, Lars Eilebrecht wrote:
> attached is a slightly different patch, it includes "!EXP" and I've
> moved the directive out of the vhost into the main server config
> (there's not reason to duplicate the config for each vhost).

Good stuff, +1. Joe


lars at eilebrecht

Nov 6, 2009, 5:21 PM

Post #4 of 7 (185 views)
Permalink
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]
Ruediger Pluem wrote on 2009-11-07 00:29:41:

> > -BrowserMatch ".*MSIE.*" \
> > - nokeepalive ssl-unclean-shutdown \
> > - downgrade-1.0 force-response-1.0
> > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > + downgrade-1.0 force-response-1.0
> > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> >
> > # Per-Server Logging:
> > # The home of a custom SSL log file. Use this when you want a
>
> Do we really know that IE >= 6 do not need these additional options
> any longer?

The bug about SSL renegotiation got fixed in one of the IE 6 earlier
versions, so some of the very very old versions of IE 6 won't work, but
the market share of these versions if effectively 0%.

If you google for it you'll find some people recommending the use of
the above configuration, and I've been using it on various sites since
a few years without any problems.

The main issue with our previous config is that we are disabling
keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS server.

cheers...
--
Lars Eilebrecht
lars[at]eilebrecht.net


rpluem at apache

Nov 7, 2009, 1:09 AM

Post #5 of 7 (177 views)
Permalink
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]
On 11/07/2009 02:21 AM, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
>
>>> -BrowserMatch ".*MSIE.*" \
>>> - nokeepalive ssl-unclean-shutdown \
>>> - downgrade-1.0 force-response-1.0
>>> +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
>>> + downgrade-1.0 force-response-1.0
>>> +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
>>>
>>> # Per-Server Logging:
>>> # The home of a custom SSL log file. Use this when you want a
>> Do we really know that IE >= 6 do not need these additional options
>> any longer?
>
> The bug about SSL renegotiation got fixed in one of the IE 6 earlier
> versions, so some of the very very old versions of IE 6 won't work, but
> the market share of these versions if effectively 0%.
>
> If you google for it you'll find some people recommending the use of
> the above configuration, and I've been using it on various sites since
> a few years without any problems.
>
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS server.

Yeah, I know and this is a real PITA that has bothered me for years,
but I just wanted to be sure that this is fixed in recent IE 6 and up.
So many thanks for your investigations.

Regards

Rüdiger


sf at sfritsch

Nov 7, 2009, 2:24 AM

Post #6 of 7 (175 views)
Permalink
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]
On Saturday 07 November 2009, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
> > > -BrowserMatch ".*MSIE.*" \
> > > - nokeepalive ssl-unclean-shutdown \
> > > - downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > > + downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> > >
> > > # Per-Server Logging:
> > > # The home of a custom SSL log file. Use this when you want
> > > a
> >
> > Do we really know that IE >= 6 do not need these additional
> > options any longer?
>
> The bug about SSL renegotiation got fixed in one of the IE 6
> earlier versions, so some of the very very old versions of IE 6
> won't work, but the market share of these versions if effectively
> 0%.
>
> If you google for it you'll find some people recommending the use
> of the above configuration, and I've been using it on various
> sites since a few years without any problems.
>
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS
> server.

Shouldn't you use something like this?

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown


There are no MSIE 1.x around anymore, but MSIE 10, 11, ... will happen
in the not too distant future.

BTW, I am not so sure that MSIE 6 works reliably with keepalive in all
situations (e.g. with proxys, plugins, etc.). Therefore I would
actually prefer [2-6] and [17-9].

Cheers,
Stefan


lars at eilebrecht

Nov 8, 2009, 4:53 PM

Post #7 of 7 (157 views)
Permalink
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration [In reply to]
Stefan Fritsch wrote on 2009-11-07 11:24:03:

> Shouldn't you use something like this?
>
> BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown
>
>
> There are no MSIE 1.x around anymore, but MSIE 10, 11, ... will
> happen in the not too distant future.

Version 10 will still take a while, but I agree that we don't have to
worry about version 1 anymore.

How about this:
BrowserMatch "MSIE" ssl-unclean-shutdown
BrowserMatch "MSIE [2-5]" nokeepalive downgrade-1.0 force-response-1.0


> BTW, I am not so sure that MSIE 6 works reliably with keepalive in
> all situations (e.g. with proxys, plugins, etc.). Therefore I would
> actually prefer [2-6] and [17-9].

My experience is that never versions of MSIE 6 work fine regarding
keep-live and SSL.

cheers...
--
Lars Eilebrecht
lars[at]eilebrecht.net

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.