Re: Why no security update of apache2 concerning SSLv3?
On Friday 20 March 2015 08:45:13 Vincent Lefevre wrote:
> On 2015-03-19 16:03:38 -0600, Bob Proulx wrote:
> > Vincent Lefevre wrote:
> > > Bob Proulx wrote:
> > > > The Debian default Apache2 configuration for ssl is in local-ssl
> > > > and it configures the self-signed so called "snakeoil"
> > > > certificates.
> > >
> > > No, it is /etc/apache2/mods-available/ssl.conf, where you have the
> > > SSLProtocol line, which is the line that needs to be modified.
> >
> > No, (I will just turn your reply around) that entry is commented
> > out.
>
> No, it is not commented out. The default in unstable is:
>
> SSLProtocol all -SSLv3
>
> And the default in wheezy is:
>
> SSLProtocol all -SSLv2
>
> You can check in apache2.2-common 2.2.22-13+deb7u4.
>
> > It isn't an *active* part of the Debian configuration. The local
> > admin must actually do something. Changing one commented out entry
> > to another commented out entry is still a commented out entry.
>
> Even if it were commented out by default, there could be two
> solutions:
>
> 1. The configuration tool could uncomment the entry and change it.
>
> 2. The default (i.e. hardcoded value) could be changed, if possible.
>
> > (Although it should wake up the admin that they need to merge files
> > if they modified it. But I all too often see local admins simply
> > keep their previous version of files without merging. Look at all
> > of the people with trouble after the sudo secure_path change for
> > examples.)
>
> Note that I suggested the change in the case the file was *not*
> modified. The admin I was mentioning wanted to keep Debian's
> default (i.e. without any local change).
>
> > The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed
> > by the local admin because the cipher list there is commented out.
>
> No, it is not commented out. ./etc/apache2/mods-available/ssl.conf
> in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains:
>
> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Call me confused. And I do run my own web page from this machine. URL
in sig.
First, there is no ~./etc/apache2/mods-available/ssl.conf, but there is a
/etc/apache2/mods-available/ssl.conf
With relatively sparse bits of uncommenting that would appear to be
related here:
SSLCipherSuite AES128+EECDH:AES128+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
Header always set Strict-Transport-Security "max-age=63072000; include
SubDomains"
Header alway set X-Frame-Options DENY
Documentation on this stuff and its interactions is sparse at best
despite the fact that I have installed what s/b the correct man pages.
Some of the above has been edited persuant to anti POODLE instructions
found by google.
So, am I safe, or low hanging fruit with those settings?
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: