Vincent Lefevre wrote: > Bob Proulx wrote: > > Vincent Lefevre wrote: > > > Bob Proulx wrote: > > > > The Debian default Apache2 configuration for ssl is in local-ssl and > > > > it configures the self-signed so called "snakeoil" certificates.
>... > > The /etc/apache2/mods-available/ssl.conf doesn't need to be modifed by > > the local admin because the cipher list there is commented out. > > No, it is not commented out. ./etc/apache2/mods-available/ssl.conf > in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains: You are correct. I was confused because it was both. Sorry. Note that the recent option of interest is SSLCipherSuite. $ grep SSLCipherSuite /etc/apache2/mods-available/ssl.conf SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > No, it is not commented out. The default in unstable is: > > SSLProtocol all -SSLv3 > > And the default in wheezy is: > > SSLProtocol all -SSLv2 This illustrates that if the local admin has not set up the full configuration in their site config that they are not safe. I prefer this way to write the configuration. SSLProtocol -all +TLSv1 > Even if it were commented out by default, there could be two solutions: > > 1. The configuration tool could uncomment the entry and change it. I think it unlikely that most people will have modified the /etc/apache2/mods-available/ssl.conf file. I think any changes there would propagate through simply. > 2. The default (i.e. hardcoded value) could be changed, if possible. Changing the compiled in value of the default would be fine. I worry about removing the protocol from the executable becuase there will be some sites that have constraints requiring them maintain the older protocols. Those older protocols may be unsafe when used in a normal web site but for their specific use, perhaps on a private network, they may be okay. If the protocol is removed from the executable then this creates a hardship for them and would require them to split off. That would be worse. > > (Although it should wake up the admin that they need to merge files if > > they modified it. But I all too often see local admins simply keep > > their previous version of files without merging. Look at all of the > > people with trouble after the sudo secure_path change for examples.) > > Note that I suggested the change in the case the file was *not* > modified. The admin I was mentioning wanted to keep Debian's > default (i.e. without any local change). > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 Agreed. I worry about the catagorization of ciphers as high and medium. Those classifications change over time. I prefer to see them listed out because that way it is obvious what they mean. Bob
signature.asc
Description: Digital signature
