Applied: 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6
Matt Simerson wrote: > > switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. > Added note for how to set the minimum level of security necessary for PCI > compliance. > --- > config.sample/tls_ciphers | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > > diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers > index e889731..7bb0204 100644 > --- a/config.sample/tls_ciphers > +++ b/config.sample/tls_ciphers > @@ -1,4 +1,10 @@ > # Override default security using suitable string from available ciphers at > # L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS> > # See plugins/tls for details. > -HIGH > +# > +# HIGH is a reasonable default that should satisfy most installations > +HIGH:!SSLv2 > +# > +# if you have legacy clients that require less secure connections, > +# consider using this less secure, but PCI compliant setting: > +#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM > -- > 1.7.1.1 >
