Bug#746359: Please add comments in ssl.conf about using SSLHonorCipherOrder for security enhancement
Package: apache2
Version: 2.4.9-1
Severity: wishlist
Tags: patch
In apache version 2.4, mods-available/ssl.conf no longer contains any
hint about using SSLHonorCipherOrder. (2.2 hint was bad anyways).
Default is to honor client choices by preference, not to honor server
cipher order.
However, many clients use weak choices. For example, iceweasel 24.2
prefer AES-128 over AES-256. (see security/nss/lib/ssl/sslenum.c in
iceweasel-24.4.0esr).
You can test clients choices here:
https://www.ssllabs.com/ssltest/viewMyClient.html
chromium prefers AES-128 over AES-256 too in many cases.
For that reason, if you have a server with enough CPU power and want a
good encryption, for example a banking institution, you will want to
prefer server order, which is strongest choices first.
You can test your favorite server here:
https://www.ssllabs.com/ssltest/analyze.html
The apache documentation is here:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslhonorcipherorder
So I suggest we add these comments in ssl.conf :
# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice. Clients usually
# prefer low grade encryption.
# You should enable that option if you want stronger encryption, and can
# afford the CPU cost, and did not override SSLCipherSuite in a bad way.
# Default: Off
#SSLHonorCipherOrder on
It might be a good idea to improve apache2-doc upstream, too.
Actually, I wouldn't scream if that would be the default, but adding
documentation is a good first step. ;)
-- Package-specific info:
-- System Information:
Debian Release: jessie/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2 depends on:
ii apache2-bin 2.4.9-1
ii apache2-data 2.4.9-1
ii lsb-base 4.1+Debian12
ii mime-support 3.54
ii perl 5.18.2-2+b1
ii procps 1:3.3.9-2
Versions of packages apache2 recommends:
ii ssl-cert 1.0.33
Versions of packages apache2-bin depends on:
ii libapr1 1.5.0-1
ii libaprutil1 1.5.3-1+b1
ii libaprutil1-dbd-sqlite3 1.5.3-1+b1
ii libaprutil1-ldap 1.5.3-1+b1
ii libc6 2.18-4
ii libldap-2.4-2 2.4.39-1
ii liblua5.1-0 5.1.5-5
ii libpcre3 1:8.31-5
ii libssl1.0.0 1.0.1g-3
ii libxml2 2.9.1+dfsg1-3
ii perl 5.18.2-2+b1
ii zlib1g 1:1.2.8.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii chromium [www-browser] 34.0.1847.116-2
ii iceweasel [www-browser] 24.4.0esr-1
ii lynx-cur [www-browser] 2.8.8pre5-1
ii w3m [www-browser] 0.5.3-15
Versions of packages apache2 is related to:
ii apache2 2.4.9-1
ii apache2-bin 2.4.9-1
-- no debconf information
Reply to: