Port Fetch Failing
Roger Marquis
marquis at roble.com
Tue Jun 2 01:25:16 UTC 2015
>> Thanks to you and Chuck, I have a more reasonable (I think):
>> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-eNULL:-SSLv3:-SSLv2:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA256
Reasonable depends on the use case. Though this topic would be better
discussed on freebsd-security@, the good advice given on
<https://wiki.mozilla.org/Security/Server_Side_TLS>,
<https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/>
and <https://weakdh.org/sysadmin.html> tends to recommend:
SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on
and if you're using httpd 2.3.3 or higher:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
If you're processing credit cards SSLProtocol will need to be expanded to
"-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have
good reason to be paranoid and all of your clients are up-to-date, add
"-TLSv1.1".
Roger Marquis
More information about the freebsd-ports
mailing list