i386/156987: Harden SSL cipher suites strength and SSL protocol
support of /usr/local/etc/apache/extra/httpd-ssl.conf
Adrian Dimcev
adimcev at carbonwind.net
Thu May 12 21:20:09 UTC 2011
>Number: 156987
>Category: i386
>Synopsis: Harden SSL cipher suites strength and SSL protocol support of /usr/local/etc/apache/extra/httpd-ssl.conf
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu May 12 21:20:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Adrian Dimcev
>Release: FreeBSD-8.2-RELEASE-i386
>Organization:
>Environment:
>Description:
Testing the default configuration of the SSL part(included mod_ssl)of Apache2 of FreeBSD 8.2(i386) was noted that the default /usr/local/etc/apache/extra/httpd-ssl.conf configuration regarding SSL cipher suite strength and SSL protocol support is pretty bad: SSL 2.0 is enabled, weak cipher suites(DES based) and export cipher suites(including RC2 based ones) are enabled. -> these should be disabled by default.
Test results:
http://www.carbonwind.net/blog/post/On-scope-default-SSLTLS-settings-shipped-on-various-Linux-distros-for-Apache-22x.aspx
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list