Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

Apache and BEAST and CRIME attacks



Apache users RSS feed   Index | Next | Previous | View Threaded

calestyo at scientia

Sep 14, 2012, 3:17 PM

Post #1 of 1 (643 views)
Apache and BEAST and CRIME attacks


I'm using Apache 2.2.22 and 2.2.16... and I wondered how vulnerable I'm
for the BEAST and CRIME attacks...

wrt to BEAST:
I know most browsers fix that already,... but I'd rather have it really
enforced by the server.
Further I would not prefer to disable my AES or enabled RC4 at all.
Also there are sources on the web which claim that RC4 would be actually
more secure than AES.

There are also sources (e.g.
http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely ) which claim that that is a non-issue as it was fixed in openssl for all ciphers

What's the status on CRIME?

And are there any other things one should consider when configuring

Should one disable SSL3 and (once I upgraded to newer apache versions)
the older TLS versions... if all users support the new ones?


I'm using this mod_ssl configuration:
##SSLPassPhraseDialog builtin
##SSLInsecureRenegotiation off

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

##SSLCryptoDevice builtin

SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex

SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
##SSLSessionCacheTimeout 300

##SSLRenegBufferSize 131072

SSLProtocol TLSv1 +SSLv3
SSLStrictSNIVHostCheck on
SSLHonorCipherOrder on
SSLOptions strictRequire
##SSLVerifyClient none
##SSLVerifyDepth 1

SSLProxyProtocol TLSv1 +SSLv3
SSLProxyCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!
SSLProxyVerify require
##SSLProxyVerifyDepth 1
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
Attachments: smime.p7s (5.32 KB)

Apache users RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.