On Friday 20 March 2015 08:45:13 Vincent Lefevre wrote: > On 2015-03-19 16:03:38 -0600, Bob Proulx wrote: > > Vincent Lefevre wrote: > > > Bob Proulx wrote: > > > > The Debian default Apache2 configuration for ssl is in local-ssl > > > > and it configures the self-signed so called "snakeoil" > > > > certificates. > > > > > > No, it is /etc/apache2/mods-available/ssl.conf, where you have the > > > SSLProtocol line, which is the line that needs to be modified. > > > > No, (I will just turn your reply around) that entry is commented > > out. > > No, it is not commented out. The default in unstable is: > > SSLProtocol all -SSLv3 > > And the default in wheezy is: > > SSLProtocol all -SSLv2 > > You can check in apache2.2-common 2.2.22-13+deb7u4. > > > It isn't an *active* part of the Debian configuration. The local > > admin must actually do something. Changing one commented out entry > > to another commented out entry is still a commented out entry. > > Even if it were commented out by default, there could be two > solutions: > > 1. The configuration tool could uncomment the entry and change it. > > 2. The default (i.e. hardcoded value) could be changed, if possible. > > > (Although it should wake up the admin that they need to merge files > > if they modified it. But I all too often see local admins simply > > keep their previous version of files without merging. Look at all > > of the people with trouble after the sudo secure_path change for > > examples.) > > Note that I suggested the change in the case the file was *not* > modified. The admin I was mentioning wanted to keep Debian's > default (i.e. without any local change). > > > The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed > > by the local admin because the cipher list there is commented out. > > No, it is not commented out. ./etc/apache2/mods-available/ssl.conf > in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains: > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Call me confused. And I do run my own web page from this machine. URL in sig. First, there is no ~./etc/apache2/mods-available/ssl.conf, but there is a /etc/apache2/mods-available/ssl.conf With relatively sparse bits of uncommenting that would appear to be related here: SSLCipherSuite AES128+EECDH:AES128+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; include SubDomains" Header alway set X-Frame-Options DENY Documentation on this stuff and its interactions is sparse at best despite the fact that I have installed what s/b the correct man pages. Some of the above has been edited persuant to anti POODLE instructions found by google. So, am I safe, or low hanging fruit with those settings? Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201503201213.12101.ghesk...@wdtv.com
