Hi Bill, On 02.10.2011 09:07, William A. Rowe Jr. wrote: > On 9/29/2011 9:31 AM, Rainer Jung wrote: >> In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389) I suggest >> we update our SSL configuration analogous to what's in trunk. >> >> - Choose a better default SSLCipherSuite >> - Add SSLHonorCipherOrder >> - restrict MSIE exceptions to MSIE 2-5 > > -1 in this respect; faster is not more secure. We must default to setting > the strictest cipher choices, with a commented-out "this is faster, but far > less secure" alternative for those with less targeted assets. > > If someone is enabling mod_ssl, it is to secure their traffic, not to speed > up their server. > > And no, MD4, although immune to *this* vector, is simply not preferable.
Our current 2.2.x SSLCipherSuite contains e.g. SSLv2 and export ciphers. So there is a need to improve. My suggestion is a straight backport from trunk. So what is the "strictest cipher choice" you suggest? Regards, Rainer
