On Saturday 21 March 2015 16:37:59 Bob Proulx wrote: > Vincent Lefevre wrote: > > Bob Proulx wrote: > > > Vincent Lefevre wrote: > > > > Bob Proulx wrote: > > > > > The Debian default Apache2 configuration for ssl is in > > > > > local-ssl and it configures the self-signed so called > > > > > "snakeoil" certificates. > > > >... > > > > > The /etc/apache2/mods-available/ssl.conf doesn't need to be > > > modifed by the local admin because the cipher list there is > > > commented out. > > > > No, it is not commented out. ./etc/apache2/mods-available/ssl.conf > > in apache2.2-common_2.2.22-13+deb7u4_amd64.deb contains: > > You are correct. I was confused because it was both. Sorry. > Note that the recent option of interest is SSLCipherSuite. > > $ grep SSLCipherSuite /etc/apache2/mods-available/ssl.conf > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 This is not valid for a 2.22 install
> # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. > #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 > > > No, it is not commented out. The default in unstable is: > > > > SSLProtocol all -SSLv3 > > > > And the default in wheezy is: > > > > SSLProtocol all -SSLv2 > > This illustrates that if the local admin has not set up the full > configuration in their site config that they are not safe. > > I prefer this way to write the configuration. > > SSLProtocol -all +TLSv1 Now set. > > Even if it were commented out by default, there could be two > > solutions: > > > > 1. The configuration tool could uncomment the entry and change it. > > I think it unlikely that most people will have modified the > /etc/apache2/mods-available/ssl.conf file. I think any changes there > would propagate through simply. > > > 2. The default (i.e. hardcoded value) could be changed, if possible. > > Changing the compiled in value of the default would be fine. > > I worry about removing the protocol from the executable becuase there > will be some sites that have constraints requiring them maintain the > older protocols. Those older protocols may be unsafe when used in a > normal web site but for their specific use, perhaps on a private > network, they may be okay. If the protocol is removed from the > executable then this creates a hardship for them and would require > them to split off. That would be worse. > > > > (Although it should wake up the admin that they need to merge > > > files if they modified it. But I all too often see local admins > > > simply keep their previous version of files without merging. Look > > > at all of the people with trouble after the sudo secure_path > > > change for examples.) > > > > Note that I suggested the change in the case the file was *not* > > modified. The admin I was mentioning wanted to keep Debian's > > default (i.e. without any local change). > > > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > > Agreed. > > I worry about the catagorization of ciphers as high and medium. Those > classifications change over time. I prefer to see them listed out > because that way it is obvious what they mean. > > Bob However on the restart, I logged this in /var/log/apache2/error.log: [Sat Mar 21 18:08:02 2015] [info] removed PID file /var/run/apache2.pid (pid=2954) [Sat Mar 21 18:08:02 2015] [notice] caught SIGTERM, shutting down [Sat Mar 21 18:08:03 2015] [notice] Apache/2.2.22 (Debian) configured -- resuming normal operations [Sat Mar 21 18:08:03 2015] [info] Server built: Dec 27 2014 21:24:43 [Sat Mar 21 18:08:03 2015] [debug] worker.c(1757): AcceptMutex: sysvsem (default: sysvsem) [Sat Mar 21 18:08:03 2015] [error] (2)No such file or directory: Couldn't bind unix domain socket /var/log/httpd/${APACHE_RUN_DIR}/cgisock.4944 No clue how to fix this one, APACHE_RUN_DIR is not set in the environment. Broken init.d script perhaps?? [Sat Mar 21 18:08:04 2015] [crit] cgid daemon failed to initialize But this seems to be a never mind as it doesn't seem to effect performance in any case. How important is it? Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201503211817.30225.ghesk...@wdtv.com