Changeset 2632 for trunk/server/fedora


Ignore:
Timestamp:
Oct 13, 2014, 12:56:56 AM (10 years ago)
Author:
andersk
Message:
Disable SSL 3.0

SSL 3.0 is only required by IE 6 on Windows XP, both of which are
unsupported.  Those users can upgrade to IE 8, switch to another
browser, and/or get a supported OS if they want to continue making SSL
connections to us.

By forcing downgrades from TLS 1.x to SSL 3.0, attackers could force
the negotiation of non-forward-secret ciphers.  It’s time to stop
letting IE 6 hold back security in current browsers.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/fedora/config/etc/httpd/conf/httpd.conf

    r2626 r2632  
    338338
    339339    # Copied from https://wiki.mozilla.org/Security/Server_Side_TLS
    340     # (backward compatibility configuration)
    341     SSLProtocol all -SSLv2
     340    # (backward compatibility configuration minus SSL 3.0; equivalently,
     341    # intermediate compatibility configuration plus 3DES)
     342    SSLProtocol all -SSLv2 -SSLv3
    342343    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
    343344    SSLHonorCipherOrder on
Note: See TracChangeset for help on using the changeset viewer.