----- Original Message ----- > The default settings for mod_ssl (for use in httpd) is: > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > > This isn't a great default (for many reasons). I'd like to propose we > provide the default ciphers suites as defined by Mozilla[0] in the > configuration file with the Intermediate compatibility cipher suite > uncommented: > <quote> > #This is the modern cipher suite that provides a higher level of security and > is compatible with the latest browsers. > #SSLCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK <snip more endless unmaintainable strings> I think we should try very hard to never end up with such a string inside a modified, admin-maintained, config file; we won’t be able to reasonably update it if the trade-offs and recommendations change. In particular, per https://fedoraproject.org/wiki/Changes/CryptoPolicy and https://bugzilla.redhat.com/show_bug.cgi?id=1109119 we should already be using a sane default (though perhaps not precisely the one you are recommending). Can what you want to do be done using the CryptoPolicy mechanism? (And should it be the default?) Mirek -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
