Changeset 2621 for trunk/server


Ignore:
Timestamp:
Oct 4, 2014, 10:42:24 PM (8 years ago)
Author:
andersk
Message:
Enforce a modern TLS cipher suite order

This configuration was copied from the backward compatibility
configuration at https://wiki.mozilla.org/Security/Server_Side_TLS,
version 3/3.1/3.2.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/fedora/config/etc/httpd/conf/httpd.conf

    r2593 r2621  
    327327    SSLInsecureRenegotiation on
    328328
    329     # Temporary fix for presumed CRIME attack against SSL
    330     SSLCompression off
    331 
    332329    SSLPassPhraseDialog  builtin
    333330    SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
     
    339336    SSLVerifyClient none
    340337    SSLOptions +StdEnvVars
     338
     339    # Copied from https://wiki.mozilla.org/Security/Server_Side_TLS
     340    # (backward compatibility configuration)
    341341    SSLProtocol all -SSLv2
    342     SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
     342    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
     343    SSLHonorCipherOrder on
     344    SSLCompression off
     345
    343346    <VirtualHost 18.181.0.50:443 18.181.0.50:444>
    344347        ServerName scripts-cert.mit.edu
Note: See TracChangeset for help on using the changeset viewer.