Changeset 2632 for trunk/server/fedora/config/etc/httpd/conf

Timestamp:

Oct 13, 2014, 12:56:56 AM (10 years ago)

Author:

andersk

Message:

Disable SSL 3.0

SSL 3.0 is only required by IE 6 on Windows XP, both of which are
unsupported.  Those users can upgrade to IE 8, switch to another
browser, and/or get a supported OS if they want to continue making SSL
connections to us.

By forcing downgrades from TLS 1.x to SSL 3.0, attackers could force
the negotiation of non-forward-secret ciphers.  It’s time to stop
letting IE 6 hold back security in current browsers.

File:

• trunk/server/fedora/config/etc/httpd/conf/httpd.conf (modified) (1 diff)

trunk/server/fedora/config/etc/httpd/conf/httpd.conf

@@ -338 +338 @@
 
     # Copied from https://wiki.mozilla.org/Security/Server_Side_TLS
-    # (backward compatibility configuration)
-    SSLProtocol all -SSLv2
+    # (backward compatibility configuration minus SSL 3.0; equivalently,
+    # intermediate compatibility configuration plus 3DES)
+    SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
     SSLHonorCipherOrder on