From: Stefan Fritsch Date: Wed, 4 Jan 2012 20:10:40 +0000 (+0000) Subject: mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern) X-Git-Tag: 2.2.22~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dae54a2f7f21d895477c39ac90ec5ce0c5b10e7;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern) Reviewed by: Kaspar Brand, Rainer Jung, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1227293 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6a1812ce820..4277203ae8c 100644 --- a/CHANGES +++ b/CHANGES @@ -14,6 +14,10 @@ Changes with Apache 2.2.22 *) mod_log_config: Fix segfault when logging nameless, valueless cookie. PR 52256. [Stefan Fritsch] + *) config: Update the default mod_ssl configuration: Disable SSLv2, only + allow >= 128bit ciphers, add commented example for speed optimized cipher + list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] + *) core: Fix segfault in ap_send_interim_response(). PR 52315. [Stefan Fritsch] diff --git a/STATUS b/STATUS index 6341673288c..db91525fc19 100644 --- a/STATUS +++ b/STATUS @@ -99,14 +99,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: http://people.apache.org/~jfclere/patches/ajp_timeout.patch +1: jfclere, rjung, rpluem - * mod_ssl: Update default config (SSLProtocol, SSLCipherSuite, MSIE pattern) - Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1132793 - http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1203752&r1=1203751&r2=1203752&view=diff - 2.2.x patch: http://people.apache.org/~kbrand/mod_ssl_config_defaults-2.2.x.patch - (disabling SSLv2 in SSLProtocol is only required for 2.2.x, since trunk - and 2.4.x no longer support this version, see r1203491 and r1203495) - +1: kbrand (non-binding), rjung, jorton - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in index b9f12834d77..7824886298f 100644 --- a/docs/conf/extra/httpd-ssl.conf.in +++ b/docs/conf/extra/httpd-ssl.conf.in @@ -84,11 +84,29 @@ TransferLog "@exp_logfiledir@/access_log" # Enable/Disable SSL for this virtual host. SSLEngine on +# SSL Protocol support: +# List the protocol versions which clients are allowed to +# connect with. Disable SSLv2 by default (cf. RFC 6176). +SSLProtocol all -SSLv2 + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + +# Speed-optimized SSL Cipher configuration: +# If speed is your main concern (on busy HTTPS servers e.g.), +# you might want to force clients to specific, performance +# optimized ciphers. In this case, prepend those ciphers +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. +# Caveat: by giving precedence to RC4-SHA and AES128-SHA +# (as in the example below), most connections will no longer +# have perfect forward secrecy - if the server's key is +# compromised, captures of past or future traffic must be +# considered compromised, too. +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 +#SSLHonorCipherOrder on + # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a @@ -218,7 +236,7 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key" # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. -BrowserMatch ".*MSIE.*" \ +BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0