From: William A. Rowe Jr Date: Thu, 14 May 2015 18:53:07 +0000 (+0000) Subject: For clarity, revert 1679429 X-Git-Tag: 2.2.30~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=423c5d2d043d7a2b08ad93a40ce13efd988b6e50;p=thirdparty%2Fapache%2Fhttpd.git For clarity, revert 1679429 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1679430 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 73a9def457a..10152e30446 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,6 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.30 - *) SSLProtocol and SSLCipherSuite recommendations in the example/default - conf/extra/httpd-ssl.conf file are now global in scope, affecting all - VirtualHosts (matching 2.4 default configuration). [William Rowe] - *) Turn static function get_server_name_for_url() into public ap_get_server_name_for_url() and use it where appropriate. This fixes mod_rewrite generating invalid URLs for redirects to IPv6 diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in index df71ec9d8c3..0586d1e200c 100644 --- a/docs/conf/extra/httpd-ssl.conf.in +++ b/docs/conf/extra/httpd-ssl.conf.in @@ -50,39 +50,28 @@ AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate, -# and that httpd will negotiate as the client of a proxied server. -# See the OpenSSL documentation for a complete list of ciphers, and -# ensure these follow appropriate best practices for this deployment. -SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 -SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 - -# By the end of 2016, only TLSv1.2 ciphers should remain in use. -# Older ciphers should be disallowed as soon as possible, while the -# kRSA ciphers do not offer forward secrecy. These changes inhibit -# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy -# non-browser tooling) from successfully connecting. -# -# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable -# those protocols which do not support forward secrecy, replace -# the SSLCipherSuite and SSLProxyCipherSuite directives above with -# the following two directives, as soon as practical. -# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA -# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA - -# User agents such as web browsers are not configured for the user's -# own preference of either security or performance, therefore this -# must be the prerogative of the web server administrator who manages -# cpu load versus confidentiality, so enforce the server's cipher order. -SSLHonorCipherOrder on +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +# Speed-optimized SSL Cipher configuration: +# If speed is your main concern (on busy HTTPS servers e.g.), +# you might want to force clients to specific, performance +# optimized ciphers. In this case, prepend those ciphers +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. +# Caveat: by giving precedence to RC4-SHA and AES128-SHA +# (as in the example below), most connections will no longer +# have perfect forward secrecy - if the server's key is +# compromised, captures of past or future traffic must be +# considered compromised, too. +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 +#SSLHonorCipherOrder on + # SSL Protocol support: -# List the protocol versions which clients are allowed to connect with. -# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) -# should be disabled as quickly as practical. By the end of 2016, only -# the TLSv1.2 protocol or later should remain in use. +# List the protocol versions which clients are allowed to +# connect with. Disable SSLv2 (cf. RFC 6176) and SSLv3 +# (cf. RFC 7525 and CVE 2014-3566). SSLProtocol all -SSLv2 -SSLv3 -SSLProxyProtocol all -SSLv2 -SSLv3 # Pass Phrase Dialog: # Configure the pass phrase gathering process.