Bug#654764: Mitigate B.E.A.S.T attack

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#654764: Mitigate B.E.A.S.T attack
From: Mathieu Parent <math.parent@gmail.com>
Date: Thu, 5 Jan 2012 16:43:50 +0100
Message-id: <[🔎] CAFX5sbzP39539OX_dx1Oc__bSL3O5S7sNup5kAJ9L03Ms6Pk5w@mail.gmail.com>
Reply-to: Mathieu Parent <math.parent@gmail.com>, 654764@bugs.debian.org

Package: apache2
Version: 2.2.21-5

Hi,

The BEAST vulnerability [1] "can be prevented by removing all CBC
ciphers from your list of allowed ciphers—leaving only the RC4
cipher".

But as this can break some old browsers that don't support RC4 (I
couldn't name one, sorry), I propose instead to pop RC4 to the top of
the list:

-SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
+SSLCipherSuite RC4:HIGH:MEDIUM:!ADH:!MD5:!SSLv2

(this almost-patch also disables SSLv2 ciphers)


[1]: http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0

-- 
Mathieu Parent

Reply to:

Follow-Ups:
- Bug#654764: Mitigate B.E.A.S.T attack
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#654545: apache2-suexec: some possible security improvements for suexec/suexec-custom
Next by Date: Bug#654764: SSLHonorCipherOrder missing
Previous by thread: Bug#654545: apache2-suexec: some possible security improvements for suexec/suexec-custom
Next by thread: Bug#654764: Mitigate B.E.A.S.T attack
Index(es):
- Date
- Thread