Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

Apache and BEAST and CRIME attacks

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


calestyo at scientia

Sep 14, 2012, 3:17 PM

Post #1 of 1 (497 views)
Permalink
Apache and BEAST and CRIME attacks

Hi.

I'm using Apache 2.2.22 and 2.2.16... and I wondered how vulnerable I'm
for the BEAST and CRIME attacks...


wrt to BEAST:
I know most browsers fix that already,... but I'd rather have it really
enforced by the server.
Further I would not prefer to disable my AES or enabled RC4 at all.
Also there are sources on the web which claim that RC4 would be actually
more secure than AES.

There are also sources (e.g.
http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely ) which claim that that is a non-issue as it was fixed in openssl for all ciphers


What's the status on CRIME?


And are there any other things one should consider when configuring
mod_SSL?


Should one disable SSL3 and (once I upgraded to newer apache versions)
the older TLS versions... if all users support the new ones?



Thanks,
Chris.


I'm using this mod_ssl configuration:
##SSLPassPhraseDialog builtin
##SSLFIPS off
##SSLInsecureRenegotiation off

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

##SSLCryptoDevice builtin

SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex

SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
##SSLSessionCacheTimeout 300

##SSLRenegBufferSize 131072


SSLProtocol TLSv1 +SSLv3
SSLCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!GOST94:!
IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:+DH:
+CAMELLIA
SSLStrictSNIVHostCheck on
SSLHonorCipherOrder on
SSLOptions strictRequire
##SSLVerifyClient none
##SSLVerifyDepth 1


SSLProxyProtocol TLSv1 +SSLv3
SSLProxyCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!
GOST94:!IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:
+DH:+CAMELLIA
SSLProxyVerify require
##SSLProxyVerifyDepth 1
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
Attachments: smime.p7s (5.32 KB)

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.