Hi.
I'm using Apache 2.2.22 and 2.2.16... and I wondered how vulnerable I'm
for the BEAST and CRIME attacks...
wrt to BEAST:
I know most browsers fix that already,... but I'd rather have it really
enforced by the server.
Further I would not prefer to disable my AES or enabled RC4 at all.
Also there are sources on the web which claim that RC4 would be actually
more secure than AES.
There are also sources (e.g.
http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely ) which claim that that is a non-issue as it was fixed in openssl for all ciphers
What's the status on CRIME?
And are there any other things one should consider when configuring
mod_SSL?
Should one disable SSL3 and (once I upgraded to newer apache versions)
the older TLS versions... if all users support the new ones?
Thanks,
Chris.
I'm using this mod_ssl configuration:
##SSLPassPhraseDialog builtin
##SSLFIPS off
##SSLInsecureRenegotiation off
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##SSLCryptoDevice builtin
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
##SSLSessionCacheTimeout 300
##SSLRenegBufferSize 131072
SSLProtocol TLSv1 +SSLv3
SSLCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!GOST94:!
IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:+DH:
+CAMELLIA
SSLStrictSNIVHostCheck on
SSLHonorCipherOrder on
SSLOptions strictRequire
##SSLVerifyClient none
##SSLVerifyDepth 1
SSLProxyProtocol TLSv1 +SSLv3
SSLProxyCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!
GOST94:!IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:
+DH:+CAMELLIA
SSLProxyVerify require
##SSLProxyVerifyDepth 1
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|