On Saturday 21 March 2015 16:37:59 Bob Proulx wrote:
> Vincent Lefevre wrote:
> > Bob Proulx wrote:
> > > Vincent Lefevre wrote:
> > > > Bob Proulx wrote:
> > > > > The Debian default Apache2 configuration for ssl is in
> > > > > local-ssl and it configures the self-signed so called
> > > > > "snakeoil" certificates.
> >
> >...
> >
> > > The /etc/apache2/mods-available/ssl.conf doesn't need to be
> > > modifed by the local admin because the cipher list there is
> > > commented out.
> >
> > No, it is not commented out. ./etc/apache2/mods-available/ssl.conf
> > in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains:
>
> You are correct. I was confused because it was both. Sorry.
> Note that the recent option of interest is SSLCipherSuite.
>
> $ grep SSLCipherSuite /etc/apache2/mods-available/ssl.conf
> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
This is not valid for a 2.22 install
> # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
> #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
>
> > No, it is not commented out. The default in unstable is:
> >
> > SSLProtocol all -SSLv3
> >
> > And the default in wheezy is:
> >
> > SSLProtocol all -SSLv2
>
> This illustrates that if the local admin has not set up the full
> configuration in their site config that they are not safe.
>
> I prefer this way to write the configuration.
>
> SSLProtocol -all +TLSv1
Now set.
> > Even if it were commented out by default, there could be two
> > solutions:
> >
> > 1. The configuration tool could uncomment the entry and change it.
>
> I think it unlikely that most people will have modified the
> /etc/apache2/mods-available/ssl.conf file. I think any changes there
> would propagate through simply.
>
> > 2. The default (i.e. hardcoded value) could be changed, if possible.
>
> Changing the compiled in value of the default would be fine.
>
> I worry about removing the protocol from the executable becuase there
> will be some sites that have constraints requiring them maintain the
> older protocols. Those older protocols may be unsafe when used in a
> normal web site but for their specific use, perhaps on a private
> network, they may be okay. If the protocol is removed from the
> executable then this creates a hardship for them and would require
> them to split off. That would be worse.
>
> > > (Although it should wake up the admin that they need to merge
> > > files if they modified it. But I all too often see local admins
> > > simply keep their previous version of files without merging. Look
> > > at all of the people with trouble after the sudo secure_path
> > > change for examples.)
> >
> > Note that I suggested the change in the case the file was *not*
> > modified. The admin I was mentioning wanted to keep Debian's
> > default (i.e. without any local change).
> >
> > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
>
> Agreed.
>
> I worry about the catagorization of ciphers as high and medium. Those
> classifications change over time. I prefer to see them listed out
> because that way it is obvious what they mean.
>
> Bob
However on the restart, I logged this in /var/log/apache2/error.log:
[Sat Mar 21 18:08:02 2015] [info] removed PID file /var/run/apache2.pid
(pid=2954)
[Sat Mar 21 18:08:02 2015] [notice] caught SIGTERM, shutting down
[Sat Mar 21 18:08:03 2015] [notice] Apache/2.2.22 (Debian) configured --
resuming normal operations
[Sat Mar 21 18:08:03 2015] [info] Server built: Dec 27 2014 21:24:43
[Sat Mar 21 18:08:03 2015] [debug] worker.c(1757): AcceptMutex: sysvsem
(default: sysvsem)
[Sat Mar 21 18:08:03 2015] [error] (2)No such file or directory: Couldn't bind
unix domain socket /var/log/httpd/${APACHE_RUN_DIR}/cgisock.4944
No clue how to fix this one, APACHE_RUN_DIR is not set in the environment.
Broken init.d script perhaps??
[Sat Mar 21 18:08:04 2015] [crit] cgid daemon failed to initialize
But this seems to be a never mind as it doesn't seem to effect performance
in any case. How important is it?
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201503211817.30225.ghesk...@wdtv.com
