On 06.10.2011 10:58, Rainer Jung wrote: > Hi Bill, > > On 02.10.2011 09:07, William A. Rowe Jr. wrote: >> On 9/29/2011 9:31 AM, Rainer Jung wrote: >>> In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389) I suggest >>> we update our SSL configuration analogous to what's in trunk. >>> >>> - Choose a better default SSLCipherSuite >>> - Add SSLHonorCipherOrder >>> - restrict MSIE exceptions to MSIE 2-5 >> >> -1 in this respect; faster is not more secure. We must default to setting >> the strictest cipher choices, with a commented-out "this is faster, but far >> less secure" alternative for those with less targeted assets. >> >> If someone is enabling mod_ssl, it is to secure their traffic, not to speed >> up their server. >> >> And no, MD4, although immune to *this* vector, is simply not preferable. > > Our current 2.2.x SSLCipherSuite contains e.g. SSLv2 and export ciphers. > So there is a need to improve. My suggestion is a straight backport from > trunk. > > So what is the "strictest cipher choice" you suggest?
I might have misunderstood you. Are you only worried about *activating* SSLHonorCipherOrder? Note that in trunk and as proposed here the corresponding comment and config block is commented, so not active by default. See my original post. Regards, Rainer