-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Dec 04, 2014 at 11:31:04AM -0500, Miloslav Trmač wrote: > ----- Original Message ----- > > The default settings for mod_ssl (for use in httpd) is: > > > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > > > > This isn't a great default (for many reasons). I'd like to propose we > > provide the default ciphers suites as defined by Mozilla[0] in the > > configuration file with the Intermediate compatibility cipher suite > > uncommented: > > > <quote> > > #This is the modern cipher suite that provides a higher level of security and > > is compatible with the latest browsers. > > #SSLCipherSuite > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK <removing unhelpful and unuseful input> > Can what you want to do be done using the CryptoPolicy mechanism? (And should it be the default?) Yes, and thank you for reminding me of this new, upcoming feature. There will always be a default and that default should be something sane that both provides protection and compatibility. The current default leaves something to be desired with respect to security. Using the recommendations provided by Mozilla you get both in a balanced way. I could see the three recommended cipher suites lists being used as a low, default, and high security ratings within the CryptoPolicy. - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security sparks@xxxxxxxxxx - sparks@xxxxxxxxxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJUgK2+AAoJEB/kgVGp2CYv5RwMAI/Ddnsz7xVkl4NeQ+dMPvdI Rz6FT/T5FRg5LwUGlnUqSaGgFYnAmJayLqQX+tmnbLCtond2ug/LAaK3LrTcKYwu T7KKDEvcnat5EvExTkDhFuYyQoY/hfdVi7c6qXCCQ3YjkuoGFfNFrlukNTKWjjd+ RnyiLLusKJRHYgg42EWeUC7McwL2B4wLHWmJlUpUNGBxA4o5u6TioZEIaX8XiaYI F0ln+6ZvwaOzWLFMt7IU/cCM2wh/FmMIXtp3Vb2a/JNGpuAb3QOyBANa9cXwQEhL f5XuEe0pkhxZzdhO8MzhCDh+/xxJMvQpkCOT4iD+Gt1CRGOPJUGjTdJDrxZWGhBn I1M7ZYVmc6HORWfGIYH2vKrkLvcNZiVdfZqgoXDAxsZp4SaNFK0XRrUhmniT8p4c akVUnMunPXqxtey/zeC9vOMDJntRDVoyngA3t/dW6b9mQthVkSkumMlrnzBvChVn 1k4RdGQ/H/uBDgMAH9+RVKV4dlZ7YF0bjba8VyfBFQ== =dFPt -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security