definition.
Disable AECDH ciphers in example config by using !aNULL (which includes
all ciphers without authentication.
PR: 51363
Submitted by: rjung, kbrand, Rob Stradling <rob comodo com>
Backports: r966160, r1135234, r1203752
Fix up some SSL configuration, per issue #49484. IE6 had a hotfix released
for this problem quite a while back (see kb 921090), so restrict the
modified behavior to the old/unsupported browsers.
* docs/conf/extra/http-ssl.conf.in:
(): tighten up the regex to only select old MSIE browsers for the
downgrade in http behavior. this allows IE6 to run much faster.
* Make the MSIE BrowserMatch regexp fit for MSIE 10. Remove useless '.*'
Backports: r966055, r1132793
Submitted by: gstein, sf
Reviewed by: wrowe, rjung, gsmith
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@
1497156 13f79535-47bb-0310-9956-
ffa450edef68
*) Improve platform detection for bundled PCRE by updating config.guess
and config.sub. [Rainer Jung]
+ *) ssl-std.conf: Disable AECDH ciphers in example config. PR 51363.
+ [Rob Stradling <rob comodo com>]
+
+ *) ssl-std.conf: Change the SSLCipherSuite default to a shorter,
+ whitelist oriented definition. [Rainer Jung, Kaspar Brand]
+
+ *) ssl-std.conf: Only select old MSIE browsers for the downgrade
+ in http/https behavior. [Greg Stein, Stefan Fritsch]
+
Changes with Apache 2.0.64
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
identify exactly what the proposed changes are! Add all new
proposals to the end of this list. ]
- * Alternate: -SSLv2, Simplify SSLCipherSuite, corresponding docs fix,
- MSIE downgrade changes
- r966160, r1135234, r1203752, r966055, r1132793
- http://people.apache.org/~wrowe/https-std-2.0.patch
- +1: wrowe, rjung, gsmith
-
PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
# Enable/Disable SSL for this virtual host.
SSLEngine on
+# SSL Protocol support:
+# List the protocol versions which clients are allowed to
+# connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
+SetEnvIf User-Agent "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption
only?</a></h3>
- <p>The following enables only the seven strongest ciphers:</p>
+ <p>The following enables only the strongest ciphers:</p>
<div class="example"><h3>httpd.conf</h3><p><code>
- SSLProtocol all<br />
- SSLCipherSuite HIGH:MEDIUM<br />
+ SSLProtocol all -SSLv2<br />
+ SSLCipherSuite HIGH:!aNULL:!MD5<br />
</code></p></div>
<Location /strong/area><br />
# but https://hostname/strong/area/ and below<br />
# requires strong ciphers<br />
- SSLCipherSuite HIGH:MEDIUM<br />
+ SSLCipherSuite HIGH:!aNULL:!MD5<br />
</Location>
</code></p></div>
<section id="onlystrong">
<title>How can I create an SSL server which accepts strong encryption
only?</title>
- <p>The following enables only the seven strongest ciphers:</p>
+ <p>The following enables only the strongest ciphers:</p>
<example><title>httpd.conf</title>
- SSLProtocol all<br />
- SSLCipherSuite HIGH:MEDIUM<br />
+ SSLProtocol all -SSLv2<br />
+ SSLCipherSuite HIGH:!aNULL:!MD5<br />
</example>
</section>
<Location /strong/area><br />
# but https://hostname/strong/area/ and below<br />
# requires strong ciphers<br />
- SSLCipherSuite HIGH:MEDIUM<br />
+ SSLCipherSuite HIGH:!aNULL:!MD5<br />
</Location>
</example>
</section>
projects / thirdparty / apache / httpd.git / commitdiff
