OpenSSL and Heimdal
Mark Felder
feld at feld.me
Wed May 2 22:14:51 UTC 2012
On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson <matt at chronos.org.uk>
wrote:
> mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher
> which secures SSLv3 against BEAST. This setup on my own HTTPS servers
> passes Qualys' own tests with an A rating of 87 and tells me BEAST is
> mitigated, although the thing still gives me an error on session
> resumption which I know damned well works. It's all there for server
> side in ports.
Why go out of your way and use mod_gnutls? You can simply set your SSL
settings like this:
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
And now you have a rating of 85 and no BEAST issues.
More information about the freebsd-security
mailing list