diff options
author | William A. Rowe Jr <wrowe@apache.org> | 2013-06-27 00:10:15 +0000 |
---|---|---|
committer | William A. Rowe Jr <wrowe@apache.org> | 2013-06-27 00:10:15 +0000 |
commit | efacdd5e81ccbaacb3a2293ca732ba27f14c1b51 (patch) | |
tree | f3541bcee2e8f016335c6a350786d6ea59448b07 | |
parent | 7e2ea927e397ed0a0e8afd745f997e7ca3ee1186 (diff) | |
download | httpd-efacdd5e81ccbaacb3a2293ca732ba27f14c1b51.tar.gz |
Change the SSLCipherSuite default to a shorter, whitelist oriented
definition.
Disable AECDH ciphers in example config by using !aNULL (which includes
all ciphers without authentication.
PR: 51363
Submitted by: rjung, kbrand, Rob Stradling <rob comodo com>
Backports: r966160, r1135234, r1203752
Fix up some SSL configuration, per issue #49484. IE6 had a hotfix released
for this problem quite a while back (see kb 921090), so restrict the
modified behavior to the old/unsupported browsers.
* docs/conf/extra/http-ssl.conf.in:
(): tighten up the regex to only select old MSIE browsers for the
downgrade in http behavior. this allows IE6 to run much faster.
* Make the MSIE BrowserMatch regexp fit for MSIE 10. Remove useless '.*'
Backports: r966055, r1132793
Submitted by: gstein, sf
Reviewed by: wrowe, rjung, gsmith
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1497156 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 9 | ||||
-rw-r--r-- | STATUS | 6 | ||||
-rw-r--r-- | docs/conf/ssl-std.conf.in | 9 | ||||
-rw-r--r-- | docs/manual/ssl/ssl_howto.html.en | 8 | ||||
-rw-r--r-- | docs/manual/ssl/ssl_howto.xml | 8 |
5 files changed, 24 insertions, 16 deletions
@@ -73,6 +73,15 @@ Changes with Apache 2.0.65 *) Improve platform detection for bundled PCRE by updating config.guess and config.sub. [Rainer Jung] + *) ssl-std.conf: Disable AECDH ciphers in example config. PR 51363. + [Rob Stradling <rob comodo com>] + + *) ssl-std.conf: Change the SSLCipherSuite default to a shorter, + whitelist oriented definition. [Rainer Jung, Kaspar Brand] + + *) ssl-std.conf: Only select old MSIE browsers for the downgrade + in http/https behavior. [Greg Stein, Stefan Fritsch] + Changes with Apache 2.0.64 *) SECURITY: CVE-2010-1452 (cve.mitre.org) @@ -124,12 +124,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: identify exactly what the proposed changes are! Add all new proposals to the end of this list. ] - * Alternate: -SSLv2, Simplify SSLCipherSuite, corresponding docs fix, - MSIE downgrade changes - r966160, r1135234, r1203752, r966055, r1132793 - http://people.apache.org/~wrowe/https-std-2.0.patch - +1: wrowe, rjung, gsmith - PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON: diff --git a/docs/conf/ssl-std.conf.in b/docs/conf/ssl-std.conf.in index ae831187f0..9bce1f0791 100644 --- a/docs/conf/ssl-std.conf.in +++ b/docs/conf/ssl-std.conf.in @@ -93,10 +93,15 @@ TransferLog @exp_logfiledir@/access_log # Enable/Disable SSL for this virtual host. SSLEngine on +# SSL Protocol support: +# List the protocol versions which clients are allowed to +# connect with. Disable SSLv2 by default (cf. RFC 6176). +SSLProtocol all -SSLv2 + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -231,7 +236,7 @@ SSLCertificateKeyFile @exp_sysconfdir@/ssl.key/server.key # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ +SetEnvIf User-Agent "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 diff --git a/docs/manual/ssl/ssl_howto.html.en b/docs/manual/ssl/ssl_howto.html.en index ea85a26a95..d2cc0210e4 100644 --- a/docs/manual/ssl/ssl_howto.html.en +++ b/docs/manual/ssl/ssl_howto.html.en @@ -69,10 +69,10 @@ without knowing its restrictions and coherences.</p> <h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption only?</a></h3> - <p>The following enables only the seven strongest ciphers:</p> + <p>The following enables only the strongest ciphers:</p> <div class="example"><h3>httpd.conf</h3><p><code> - SSLProtocol all<br /> - SSLCipherSuite HIGH:MEDIUM<br /> + SSLProtocol all -SSLv2<br /> + SSLCipherSuite HIGH:!aNULL:!MD5<br /> </code></p></div> @@ -119,7 +119,7 @@ URL?</a></h3> <Location /strong/area><br /> # but https://hostname/strong/area/ and below<br /> # requires strong ciphers<br /> - SSLCipherSuite HIGH:MEDIUM<br /> + SSLCipherSuite HIGH:!aNULL:!MD5<br /> </Location> </code></p></div> diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 4fb2b0676b..e93edbc1dc 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -65,10 +65,10 @@ without knowing its restrictions and coherences.</p> <section id="onlystrong"> <title>How can I create an SSL server which accepts strong encryption only?</title> - <p>The following enables only the seven strongest ciphers:</p> + <p>The following enables only the strongest ciphers:</p> <example><title>httpd.conf</title> - SSLProtocol all<br /> - SSLCipherSuite HIGH:MEDIUM<br /> + SSLProtocol all -SSLv2<br /> + SSLCipherSuite HIGH:!aNULL:!MD5<br /> </example> </section> @@ -116,7 +116,7 @@ URL?</title> <Location /strong/area><br /> # but https://hostname/strong/area/ and below<br /> # requires strong ciphers<br /> - SSLCipherSuite HIGH:MEDIUM<br /> + SSLCipherSuite HIGH:!aNULL:!MD5<br /> </Location> </example> </section> |