Commit d7efe881 authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files

Change the SSLCipherSuite default to a shorter, whitelist oriented 

definition.

Disable AECDH ciphers in example config by using !aNULL (which includes
all ciphers without authentication.

PR: 51363
Submitted by: rjung, kbrand, Rob Stradling <rob comodo com>
Backports: r966160, r1135234, r1203752 

Fix up some SSL configuration, per issue #49484. IE6 had a hotfix released
for this problem quite a while back (see kb 921090), so restrict the
modified behavior to the old/unsupported browsers.
* docs/conf/extra/http-ssl.conf.in:
  (): tighten up the regex to only select old MSIE browsers for the
    downgrade in http behavior. this allows IE6 to run much faster.
* Make the MSIE BrowserMatch regexp fit for MSIE 10. Remove useless '.*'

Backports: r966055, r1132793
Submitted by: gstein, sf

Reviewed by: wrowe, rjung, gsmith


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1497156 13f79535-47bb-0310-9956-ffa450edef68
parent 1c9269b5

CHANGES

+9 −0
Original line number Diff line number Diff line
@@ -73,6 +73,15 @@ Changes with Apache 2.0.65 
  *) Improve platform detection for bundled PCRE by updating config.guess

     and config.sub.  [Rainer Jung]



  *) ssl-std.conf: Disable AECDH ciphers in example config. PR 51363.

     [Rob Stradling <rob comodo com>]



  *) ssl-std.conf: Change the SSLCipherSuite default to a shorter,

     whitelist oriented definition.  [Rainer Jung, Kaspar Brand]



  *) ssl-std.conf: Only select old MSIE browsers for the downgrade

     in http/https behavior.  [Greg Stein, Stefan Fritsch]



Changes with Apache 2.0.64



  *) SECURITY: CVE-2010-1452 (cve.mitre.org)

STATUS

+0 −6
Original line number Diff line number Diff line
@@ -124,12 +124,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 
    identify exactly what the proposed changes are!  Add all new

    proposals to the end of this list. ]



   * Alternate: -SSLv2, Simplify SSLCipherSuite, corresponding docs fix,

     MSIE downgrade changes

     r966160, r1135234, r1203752, r966055, r1132793

     http://people.apache.org/~wrowe/https-std-2.0.patch

     +1: wrowe, rjung, gsmith





PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:

docs/conf/ssl-std.conf.in

+7 −2
Original line number Diff line number Diff line
@@ -93,10 +93,15 @@ TransferLog @exp_logfiledir@/access_log 
#   Enable/Disable SSL for this virtual host.

SSLEngine on



#   SSL Protocol support:

#   List the protocol versions which clients are allowed to

#   connect with. Disable SSLv2 by default (cf. RFC 6176).

SSLProtocol all -SSLv2



#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5



#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -231,7 +236,7 @@ SSLCertificateKeyFile @exp_sysconfdir@/ssl.key/server.key 
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

SetEnvIf User-Agent "MSIE [2-5]" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

docs/manual/ssl/ssl_howto.html.en

+4 −4
Original line number Diff line number Diff line
@@ -69,10 +69,10 @@ without knowing its restrictions and coherences.</p> 
<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption

only?</a></h3>



    <p>The following enables only the seven strongest ciphers:</p>

    <p>The following enables only the strongest ciphers:</p>

    <div class="example"><h3>httpd.conf</h3><p><code>

      SSLProtocol all<br />

      SSLCipherSuite HIGH:MEDIUM<br />

      SSLProtocol all -SSLv2<br />

      SSLCipherSuite HIGH:!aNULL:!MD5<br />

    </code></p></div>
@@ -119,7 +119,7 @@ URL?</a></h3> 
      &lt;Location /strong/area&gt;<br />

      # but https://hostname/strong/area/ and below<br />

      # requires strong ciphers<br />

      SSLCipherSuite HIGH:MEDIUM<br />

      SSLCipherSuite HIGH:!aNULL:!MD5<br />

      &lt;/Location&gt;

    </code></p></div>

docs/manual/ssl/ssl_howto.xml

+4 −4
Original line number Diff line number Diff line
@@ -65,10 +65,10 @@ without knowing its restrictions and coherences.</p> 
<section id="onlystrong">

<title>How can I create an SSL server which accepts strong encryption

only?</title>

    <p>The following enables only the seven strongest ciphers:</p>

    <p>The following enables only the strongest ciphers:</p>

    <example><title>httpd.conf</title>

      SSLProtocol all<br />

      SSLCipherSuite HIGH:MEDIUM<br />

      SSLProtocol all -SSLv2<br />

      SSLCipherSuite HIGH:!aNULL:!MD5<br />

    </example>

</section>
@@ -116,7 +116,7 @@ URL?</title> 
      &lt;Location /strong/area&gt;<br />

      # but https://hostname/strong/area/ and below<br />

      # requires strong ciphers<br />

      SSLCipherSuite HIGH:MEDIUM<br />

      SSLCipherSuite HIGH:!aNULL:!MD5<br />

      &lt;/Location&gt;

    </example>

</section>