You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Lars Eilebrecht <la...@apache.org> on 2009/11/06 22:04:01 UTC
[PATCH] new default SSLCipherSuite and SSL BrowserMatch
configuration
Hi,
I would like to propose the attached patch for inclusion in 2.2
(I'll commit to trunk soon unless I'm getting any -1s in response to
this email).
cheers...
--
Lars Eilebrecht
lars@apache.org
Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch
configuration
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Nov 06, 2009 at 01:04:01PM -0800, Lars Eilebrecht wrote:
> I would like to propose the attached patch for inclusion in 2.2 (I'll
> commit to trunk soon unless I'm getting any -1s in response to this
> email).
Looks good - thanks! I agree with Rainer that we can/should disable
export ciphers now too, I think.
Regards, Joe
Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch
configuration
Posted by Mads Toftum <ma...@toftum.dk>.
On Fri, Nov 06, 2009 at 01:04:01PM -0800, Lars Eilebrecht wrote:
> I would like to propose the attached patch for inclusion in 2.2
> (I'll commit to trunk soon unless I'm getting any -1s in response to
> this email).
>
> -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> +SSLCipherSuite ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
>
Big +1 from the peanut gallery - this has been an annoyance for quite
some time after browsers got pickier. I think Rainer is right that we
might as well drop export ciphers also.
vh
Mads Toftum
--
http://soulfood.dk
Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch
configuration
Posted by Lars Eilebrecht <la...@eilebrecht.net>.
Rainer Jung wrote on 2009-11-06 22:31:55:
> Because of the EXP- ciphers still contained in the new one, we might
> add !EXPORT:
>
> ALL:!ADH:!EXPORT:!LOW:!MD5:!SSLV2:!NULL
Thanks for catching this Rainer. I was assuming that !LOW removes
export ciphers as well.
cheers...
--
Lars Eilebrecht
lars@eilebrecht.net
Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration
Posted by Rainer Jung <ra...@kippdata.de>.
On 06.11.2009 22:04, Lars Eilebrecht wrote:
> Hi,
>
> I would like to propose the attached patch for inclusion in 2.2
> (I'll commit to trunk soon unless I'm getting any -1s in response to
> this email).
Using the openssl ciphers command the new cipher string resolves to
ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
EDH-RSA-DES-CBC3-SHA
EXP-EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC3-SHA
EXP-EDH-DSS-DES-CBC-SHA
DES-CBC3-SHA
EXP-DES-CBC-SHA
IDEA-CBC-SHA
RC4-SHA
The old one additionaly contains:
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
DES-CBC3-MD5
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-MD5
DES-CBC-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5
Because of the EXP- ciphers still contained in the new one, we might add
!EXPORT:
ALL:!ADH:!EXPORT:!LOW:!MD5:!SSLV2:!NULL
Regards,
Rainer
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL
BrowserMatch configuration
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Nov 06, 2009 at 03:19:12PM -0800, Lars Eilebrecht wrote:
> attached is a slightly different patch, it includes "!EXP" and I've
> moved the directive out of the vhost into the main server config
> (there's not reason to duplicate the config for each vhost).
Good stuff, +1. Joe
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL
BrowserMatch configuration
Posted by Lars Eilebrecht <la...@eilebrecht.net>.
Stefan Fritsch wrote on 2009-11-07 11:24:03:
> Shouldn't you use something like this?
>
> BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown
>
>
> There are no MSIE 1.x around anymore, but MSIE 10, 11, ... will
> happen in the not too distant future.
Version 10 will still take a while, but I agree that we don't have to
worry about version 1 anymore.
How about this:
BrowserMatch "MSIE" ssl-unclean-shutdown
BrowserMatch "MSIE [2-5]" nokeepalive downgrade-1.0 force-response-1.0
> BTW, I am not so sure that MSIE 6 works reliably with keepalive in
> all situations (e.g. with proxys, plugins, etc.). Therefore I would
> actually prefer [2-6] and [17-9].
My experience is that never versions of MSIE 6 work fine regarding
keep-live and SSL.
cheers...
--
Lars Eilebrecht
lars@eilebrecht.net
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch configuration
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Saturday 07 November 2009, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
> > > -BrowserMatch ".*MSIE.*" \
> > > - nokeepalive ssl-unclean-shutdown \
> > > - downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > > + downgrade-1.0 force-response-1.0
> > > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> > >
> > > # Per-Server Logging:
> > > # The home of a custom SSL log file. Use this when you want
> > > a
> >
> > Do we really know that IE >= 6 do not need these additional
> > options any longer?
>
> The bug about SSL renegotiation got fixed in one of the IE 6
> earlier versions, so some of the very very old versions of IE 6
> won't work, but the market share of these versions if effectively
> 0%.
>
> If you google for it you'll find some people recommending the use
> of the above configuration, and I've been using it on various
> sites since a few years without any problems.
>
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS
> server.
Shouldn't you use something like this?
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [16-9]" ssl-unclean-shutdown
There are no MSIE 1.x around anymore, but MSIE 10, 11, ... will happen
in the not too distant future.
BTW, I am not so sure that MSIE 6 works reliably with keepalive in all
situations (e.g. with proxys, plugins, etc.). Therefore I would
actually prefer [2-6] and [17-9].
Cheers,
Stefan
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch
configuration
Posted by Ruediger Pluem <rp...@apache.org>.
On 11/07/2009 02:21 AM, Lars Eilebrecht wrote:
> Ruediger Pluem wrote on 2009-11-07 00:29:41:
>
>>> -BrowserMatch ".*MSIE.*" \
>>> - nokeepalive ssl-unclean-shutdown \
>>> - downgrade-1.0 force-response-1.0
>>> +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
>>> + downgrade-1.0 force-response-1.0
>>> +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
>>>
>>> # Per-Server Logging:
>>> # The home of a custom SSL log file. Use this when you want a
>> Do we really know that IE >= 6 do not need these additional options
>> any longer?
>
> The bug about SSL renegotiation got fixed in one of the IE 6 earlier
> versions, so some of the very very old versions of IE 6 won't work, but
> the market share of these versions if effectively 0%.
>
> If you google for it you'll find some people recommending the use of
> the above configuration, and I've been using it on various sites since
> a few years without any problems.
>
> The main issue with our previous config is that we are disabling
> keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS server.
Yeah, I know and this is a real PITA that has bothered me for years,
but I just wanted to be sure that this is fixed in recent IE 6 and up.
So many thanks for your investigations.
Regards
RĂ¼diger
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL
BrowserMatch configuration
Posted by Lars Eilebrecht <la...@eilebrecht.net>.
Ruediger Pluem wrote on 2009-11-07 00:29:41:
> > -BrowserMatch ".*MSIE.*" \
> > - nokeepalive ssl-unclean-shutdown \
> > - downgrade-1.0 force-response-1.0
> > +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> > + downgrade-1.0 force-response-1.0
> > +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
> >
> > # Per-Server Logging:
> > # The home of a custom SSL log file. Use this when you want a
>
> Do we really know that IE >= 6 do not need these additional options
> any longer?
The bug about SSL renegotiation got fixed in one of the IE 6 earlier
versions, so some of the very very old versions of IE 6 won't work, but
the market share of these versions if effectively 0%.
If you google for it you'll find some people recommending the use of
the above configuration, and I've been using it on various sites since
a few years without any problems.
The main issue with our previous config is that we are disabling
keep-alive for IE 7 and 8 which is a bad idea for a busy HTTPS server.
cheers...
--
Lars Eilebrecht
lars@eilebrecht.net
Re: [UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL BrowserMatch
configuration
Posted by Ruediger Pluem <rp...@apache.org>.
On 11/07/2009 12:19 AM, Lars Eilebrecht wrote:
> Hi,
>
> attached is a slightly different patch, it includes "!EXP" and I've
> moved the directive out of the vhost into the main server config
> (there's not reason to duplicate the config for each vhost).
>
> In addition I've added "RC4-SHA:AES128-SHA" to the beginning of the
> list which doesn't make a difference unless SSLCipherHonorOrder is
> enabled which I've included as an example in the config (disabled by
> default).
>
> cheers...
>
> @@ -212,9 +218,9 @@
> # Similarly, one has to force some clients to use HTTP/1.0 to workaround
> # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
> # "force-response-1.0" for this.
> -BrowserMatch ".*MSIE.*" \
> - nokeepalive ssl-unclean-shutdown \
> - downgrade-1.0 force-response-1.0
> +BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown \
> + downgrade-1.0 force-response-1.0
> +BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
Do we really know that IE >= 6 do not need these additional options any longer?
Regards
RĂ¼diger
[UPDATED] Re: [PATCH] new default SSLCipherSuite and SSL
BrowserMatch configuration
Posted by Lars Eilebrecht <la...@apache.org>.
Hi,
attached is a slightly different patch, it includes "!EXP" and I've
moved the directive out of the vhost into the main server config
(there's not reason to duplicate the config for each vhost).
In addition I've added "RC4-SHA:AES128-SHA" to the beginning of the
list which doesn't make a difference unless SSLCipherHonorOrder is
enabled which I've included as an example in the config (disabled by
default).
cheers...
--
Lars Eilebrecht
lars@apache.org