Apache and BEAST and CRIME attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.

I'm using Apache 2.2.22 and 2.2.16... and I wondered how vulnerable I'm
for the BEAST and CRIME attacks...


wrt to BEAST:
I know most browsers fix that already,... but I'd rather have it really
enforced by the server.
Further I would not prefer to disable my AES or enabled RC4 at all.
Also there are sources on the web which claim that RC4 would be actually
more secure than AES.

There are also sources (e.g.
http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely ) which claim that that is a non-issue as it was fixed in openssl for all ciphers


What's the status on CRIME?


And are there any other things one should consider when configuring
mod_SSL?


Should one disable SSL3 and (once I upgraded to newer apache versions)
the older TLS versions... if all users support the new ones?



Thanks,
Chris.


I'm using this mod_ssl configuration:
##SSLPassPhraseDialog builtin
##SSLFIPS off
##SSLInsecureRenegotiation off

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

##SSLCryptoDevice builtin

SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex

SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
##SSLSessionCacheTimeout 300

##SSLRenegBufferSize 131072


SSLProtocol TLSv1 +SSLv3
SSLCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!GOST94:!
IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:+DH:
+CAMELLIA
SSLStrictSNIVHostCheck on
SSLHonorCipherOrder on
SSLOptions strictRequire
##SSLVerifyClient none
##SSLVerifyDepth 1


SSLProxyProtocol TLSv1 +SSLv3
SSLProxyCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!
GOST94:!IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:
+DH:+CAMELLIA
SSLProxyVerify require
##SSLProxyVerifyDepth 1
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux