On Thursday 04 December 2014 10:56:54 Eric H. Christensen wrote: > The default settings for mod_ssl (for use in httpd) is: > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > > This isn't a great default (for many reasons). I'd say that making sure that SSLCipherSuite DEFAULT is secure would be better. I've posted a suggestion to the openssl-dev list to change ordering and ciphers present in DEFAULT (as well as in HIGH, MEDIUM, LOW) - the only voices against were about removing RC4 ciphers from both DEFAULT and MEDIUM but given that we soon will have a RFC that disallows RC4 that should be a bit easier to push through (also, the RC4 use have fallen quite a bit since that time). Unfortunately I don't have the time to work on code changes that this requires. For now the CryptoPolicy is better. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
