-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The default settings for mod_ssl (for use in httpd) is: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 This isn't a great default (for many reasons). I'd like to propose we provide the default ciphers suites as defined by Mozilla[0] in the configuration file with the Intermediate compatibility cipher suite uncommented: <quote> #This is the modern cipher suite that provides a higher level of security and is compatible with the latest browsers. #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK #This is the intermediate cipher suite that provides good security and compatibility with many browsers. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA #This is the old, backward compatibility cipher suite that works with clients back to Windows XP/IE6. This should only be used as a last resort. #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA </quote> By providing these recommended ciphers in the config file we provide the admin with a very good starting point with an easy way to move between configurations or change to something completely different. [0] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Fedora Project sparks@xxxxxxxxxxxxxxxxx - sparks@xxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJUgIRDAAoJEB/kgVGp2CYvwGML/12tIYqi1wMK3dmcK2HSenh2 bwsNcIm7jL+jnsg5NLuBZjaJcDduMfFHAn5yh3WdG7lRzozMLy+EGZwDKCvUS2Vk okfPHRjD+Br37PceYYF1Pn1scHIK05JNw8TvYX52+unQDfdLRWEdaIoGZSP/oZk3 y5DhMBFnwediVBtdLYYbN9r4scaCDQOLBjUt4UmiKTiKbDNbEFRZn/VvGhDIX5RK niVbUO2g5/V319z3tnPQjd4b1DGRVDtWvpD27pco+ca+6Ywx8hiPD3mr5vr1/P0K OCn76gPuc4JaMSWeU80payp+YjJjprIt+AsteGroCzNX1pNn3bXPTY9JyGHXS/7S CNxdN6arqfyDJHai0/dTDy1GKPEiF0g1weFhFoF3SxtN9+duiQYP3z7enSbZyfTD AkZ0Dk6T0JHHhF2ojQ7Cf2+0ldE2eDu+iGD7xkreGF5nhUExYOgJOcpTnpjceo2w DsjymoBjAn4KS/vq1PEZauTsnzpLOhcWTZIRPHpnQg== =Aj6M -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
