[apache2] 02/02: Make default ciphers more secure

Stefan Fritsch sf at moszumanska.debian.org
Sun Jan 26 09:55:44 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit e6e9a43bbcccbee1b8e7ca2d090baba059d1f38c
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sun Jan 26 10:47:42 2014 +0100

    Make default ciphers more secure
    
    Remove MEDIUM (RC4+SEED). Remove !MD5 because HIGH does not include MD5.
    Remove example including RC4
---
 debian/changelog                          |  5 +++++
 debian/config-dir/mods-available/ssl.conf | 15 +--------------
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 47f89c7..8191275 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
 apache2 (2.4.7-2) UNRELEASED; urgency=medium
 
+  * Make default cipher list in ssl.conf more secure:
+    - Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
+      'HIGH' does not include MD5.
+    - Remove the 'Speed-optimized SSL Cipher' configuration example because
+      it depends on RC4, which is considered insecure.
   * Patch the build system to avoid problems with patched config.m4's 
     as in LP #1251939 in the future.
 
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
index 244d2a5..2df2338 100644
--- a/debian/config-dir/mods-available/ssl.conf
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -56,20 +56,7 @@
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
-	#   Speed-optimized SSL Cipher configuration:
-	#   If speed is your main concern (on busy HTTPS servers e.g.),
-	#   you might want to force clients to specific, performance
-	#   optimized ciphers. In this case, prepend those ciphers
-	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-	#   (as in the example below), most connections will no longer
-	#   have perfect forward secrecy - if the server's key is
-	#   compromised, captures of past or future traffic must be
-	#   considered compromised, too.
-	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-	#SSLHonorCipherOrder on
+	SSLCipherSuite HIGH:!aNULL
 
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list