mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern)

Reviewed by: Kaspar Brand, Rainer Jung, Joe Orton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1227293 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 6a1812ce820fd437ab9dfdea3bf3bbff729ff599..4277203ae8c43cb79f8f90962a4bd26a03e37cc1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -14,6 +14,10 @@ Changes with Apache 2.2.22
   *) mod_log_config: Fix segfault when logging nameless, valueless cookie.
      PR 52256. [Stefan Fritsch]
 
+  *) config: Update the default mod_ssl configuration: Disable SSLv2, only
+     allow >= 128bit ciphers, add commented example for speed optimized cipher
+     list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
+
   *) core: Fix segfault in ap_send_interim_response(). PR 52315.
      [Stefan Fritsch]
 

diff --git a/STATUS b/STATUS
index 6341673288cc8debf8f3cd11dd0dfe2b65cbb631..db91525fc19d88957bb09b5fc59d01247d9b0d63 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -99,14 +99,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     http://people.apache.org/~jfclere/patches/ajp_timeout.patch
     +1: jfclere, rjung, rpluem
 
-  * mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern)
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1132793
-                 http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1203752&r1=1203751&r2=1203752&view=diff
-    2.2.x patch: http://people.apache.org/~kbrand/mod_ssl_config_defaults-2.2.x.patch
-    (disabling SSLv2 in SSLProtocol is only required for 2.2.x, since trunk
-     and 2.4.x no longer support this version, see r1203491 and r1203495)
-    +1: kbrand (non-binding), rjung, jorton
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index b9f12834d7787f1bcc3c2dd758a1ea2d4ff6a9ed..7824886298f3667f0a198eb01a2692789cb9d354 100644 (file)
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -84,11 +84,29 @@ TransferLog "@exp_logfiledir@/access_log"
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
+#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to
+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on 
+ 
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
@@ -218,7 +236,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
-BrowserMatch ".*MSIE.*" \
+BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0