[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, next, updated. 6bd9659e656ceeab76a631c9d1690d75d959e6c4

Stefan Fritsch sf at sfritsch.de
Sat Apr 14 19:13:12 UTC 2012 

The following commit has been merged in the next branch:
commit 6bd9659e656ceeab76a631c9d1690d75d959e6c4
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sat Apr 14 21:12:13 2012 +0200

    Update ssl default cipher config, add alternative speed optimized
    config. Include upstream's comment about the caveat.

diff --git a/debian/changelog b/debian/changelog
index e8b5499..49c2eed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,8 +23,10 @@ apache2 (2.4.1-5) experimental; urgency=low
   * Change default config to deny access to / in the file system and only
     allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
   * Disable MultiViews in the default config.
+  * Update ssl default cipher config, add alternative speed optimized config.
+    Closes: #649020
 
- -- Stefan Fritsch <sf at debian.org>  Sat, 14 Apr 2012 20:59:59 +0200
+ -- Stefan Fritsch <sf at debian.org>  Sat, 14 Apr 2012 21:07:50 +0200
 
 apache2 (2.4.1-3) experimental; urgency=low
 
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
index f544bd8..77e00de 100644
--- a/debian/config-dir/mods-available/ssl.conf
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -52,15 +52,24 @@ SSLSessionCacheTimeout  300
 
 
 #   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-#   enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
-#   Use this instead if you want to allow cipher upgrades via SGC facility.
-#   In this case you also have to use something like 
-#        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-#   see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
-#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+#   List the ciphers that the client is permitted to negotiate. See the
+#   ciphers(1) man page from the openssl package for list of all available
+#   options.
+#   Enable only secure ciphers:
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+#   Speed-optimized SSL Cipher configuration:
+#   If speed is your main concern (on busy HTTPS servers e.g.),
+#   you might want to force clients to specific, performance
+#   optimized ciphers. In this case, prepend those ciphers
+#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+#   (as in the example below), most connections will no longer
+#   have perfect forward secrecy - if the server's key is
+#   compromised, captures of past or future traffic must be
+#   considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on
 
 # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
 SSLProtocol all -SSLv2

-- 
Debian packaging for apache2 (Apache HTTPD 2.x)

More information about the Pkg-apache-commits mailing list