[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, master, updated. debian/2.2.22-3-13-g4a6bd73
Stefan Fritsch
sf at sfritsch.de
Mon May 28 19:35:52 UTC 2012
The following commit has been merged in the master branch:
commit a7bf44d1f6d95a4e9e03e12e58f8014a27812103
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sat Apr 14 21:12:13 2012 +0200
Update ssl default cipher config, add alternative speed optimized
config. Include upstream's comment about the caveat.
Cherry-picked from 6bd9659e656ceeab76a631c9d1690d75d959e6c4
Conflicts:
debian/changelog
diff --git a/debian/changelog b/debian/changelog
index d06a0bb..1e8564f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,8 @@ apache2 (2.2.22-6) UNRELEASED; urgency=low
messages.
* Add section to security.conf that shows how to forbid access to VCS
directories. Closes: #548213
+ * Update ssl default cipher config, add alternative speed optimized config.
+ Closes: #649020
-- Stefan Fritsch <sf at debian.org> Mon, 28 May 2012 20:02:19 +0200
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
index f2e9eba..2a4d78b 100644
--- a/debian/config-dir/mods-available/ssl.conf
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -49,15 +49,24 @@ SSLSessionCacheTimeout 300
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-# enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
-# Use this instead if you want to allow cipher upgrades via SGC facility.
-# In this case you also have to use something like
-# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
-#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+# List the ciphers that the client is permitted to negotiate. See the
+# ciphers(1) man page from the openssl package for list of all available
+# options.
+# Enable only secure ciphers:
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+# Speed-optimized SSL Cipher configuration:
+# If speed is your main concern (on busy HTTPS servers e.g.),
+# you might want to force clients to specific, performance
+# optimized ciphers. In this case, prepend those ciphers
+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+# Caveat: by giving precedence to RC4-SHA and AES128-SHA
+# (as in the example below), most connections will no longer
+# have perfect forward secrecy - if the server's key is
+# compromised, captures of past or future traffic must be
+# considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list