Bug#649020: apache2: stronger and faster default SSL config

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#649020: apache2: stronger and faster default SSL config
From: Francois Marier <francois@debian.org>
Date: Thu, 17 Nov 2011 12:23:36 +1300
Message-id: <[🔎] 20111116232336.18232.68159.reportbug@isafjordur.dyndns.org>
Reply-to: Francois Marier <francois@debian.org>, 649020@bugs.debian.org

Package: apache2.2-common

Version: 2.2.21-2
Severity: wishlist

Based on a lot of reading and testing, I've come up with what I believe
is a good combination of compatibility, security and speed for a mod_ssl
configuration:

  SSLProtocol TLSv1
  SSLHonorCipherOrder On
  SSLCipherSuite RC4-SHA:HIGH:!kEDH

(We currently don't have any of the above directives in
/etc/apache2/sites-available/default-ssl so I'm proposing we add them.)

It removes weak ciphers, prefers the fast ones and protects against the
BEAST attack. See more details here:

  http://feeding.cloud.geek.nz/2011/11/ideal-openssl-configuration-for-apache.html

Cheers,
Francois

Reply to:

Prev by Date: Re: Let's talk about SVN management
Next by Date: Re: Let's talk about SVN management
Previous by thread: Bug#647075: please support RUN in /etc/default/apache2
Next by thread: Bug#649310: Apache serves inexistent URIs when mod_negotiation is loaded
Index(es):
- Date
- Thread