From: Kaspar Brand Date: Fri, 18 Nov 2011 17:18:31 +0000 (+0000) Subject: merge r1203752 from trunk: X-Git-Tag: 2.3.16~145 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aca418a70c259bb69793e01ecb381736e757caed;p=apache merge r1203752 from trunk: Change the SSLCipherSuite default to a shorter, whitelist oriented definition, and add an example for a speed-optimized configuration (commented out by default). In the SSL How-To, streamline the SSLCipherSuite examples where applicable (explicitly banning EXP and NULL is not needed when only HIGH is specified). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1203753 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 58344f980d..58e5b7c66f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.0 + *) mod_ssl: use a shorter setting for SSLCipherSuite in the default + default configuration file, and add some more information about + configuring a speed-optimized alternative. + [Kaspar Brand] + *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand] *) mod_lua: Stop losing track of all but the most specific LuaHook* directives diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in index 144dfe7cc1..1e822a31a1 100644 --- a/docs/conf/extra/httpd-ssl.conf.in +++ b/docs/conf/extra/httpd-ssl.conf.in @@ -48,12 +48,19 @@ Listen @@SSLPort@@ # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL - -# SSL Cipher Honor Order: -# On a busy HTTPS server you may want to enable this directive -# to force clients to use one of the faster ciphers like RC4-SHA -# or AES128-SHA in the order defined by SSLCipherSuite. +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + +# Speed-optimized SSL Cipher configuration: +# If speed is your main concern (on busy HTTPS servers e.g.), +# you might want to force clients to specific, performance +# optimized ciphers. In this case, prepend those ciphers +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. +# Caveat: by giving precedence to RC4-SHA and AES128-SHA +# (as in the example below), most connections will no longer +# have perfect forward secrecy - if the server's key is +# compromised, captures of past or future traffic must be +# considered compromised, too. +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 #SSLHonorCipherOrder on # Pass Phrase Dialog: diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 6ac014641c..e69b311064 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -66,21 +66,17 @@ requires a strong cipher for access to a particular URL? only?

The following enables only the strongest ciphers:

httpd.conf - SSLProtocol all -SSLv2
- SSLCipherSuite HIGH:!aNULL:!EXP:!MD5:!NULL
+ SSLCipherSuite HIGH:!aNULL:!MD5
 -

While with the following configuration you enable two ciphers - which are resonably secure, and fast:

+

While with the following configuration you specify a preference + for specific speed-optimized ciphers (which will be selected by + mod_ssl, provided that they are supported by the client):

httpd.conf - SSLProtocol all -SSLv2
- SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!EXP:!MD5:!NULL
+ SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on - -

This strongly reflects the default value of SSLCipherSuite and is the recommanded way to configure it.

@@ -101,7 +97,7 @@ URL? <Location /strong/area>
# but https://hostname/strong/area/ and below
# requires strong ciphers
- SSLCipherSuite HIGH:!aNULL:!EXP:!MD5:!NULL
+ SSLCipherSuite HIGH:!aNULL:!MD5
</Location>