Your message dated Tue, 15 Feb 2011 23:17:25 +0000
with message-id <e1ppu97-0004sb...@franck.debian.org>
and subject line Bug#609126: fixed in apache2 2.2.17-1
has caused the Debian Bug report #609126,
regarding Please improve default SSL configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
609126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny9
Severity: wishlist
Tags: security
The default SSL configuration found on lenny (and - without having
checked - I think on squeeze and sid, too) is to use this cipher suite:
SSLCipherSuite HIGH:MEDIUM:!ADH
Lenny's openssl 0.9.8g-15+lenny11 makes this:
> $ openssl ciphers -v 'HIGH:MEDIUM:!ADH'
> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
> RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
This includes SSLv2 ciphers, ciphers with MD5 based MAC, and ciphers are
returned in no particular order.
While SSLv2 ciphers are factually disabled by a separate mod_ssl
directive of
SSLProtocol all -SSLv2
it would seem nicer to disable it wherever possible to make it clear
they are not to be supported.
I recommend to use the following cipher suite for mod_ssl on Debian, and
would like to suggest that Debian should use this by default in Lenny
and later releases:
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!aNULL:!MD5:@STRENGTH
This results in a much improved cipher list:
> $ openssl ciphers -v 'HIGH:MEDIUM:!SSLv2:!aNULL:!MD5:@STRENGTH'
> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
At the same time, and this is important when picking a cipher suite, it
is somewhat future proof. While an approach of specifically whitelisting
or blacklisting ciphers could be better, this would require the server
administrator(s) (and/or package maintainer(s)) to continuously keep up
to speed by following the latest developments in cryptanalysis. On the
contrary, the approach suggested here is universal, disables only what
is known to be unsafe, and otherwise relies on the expertise of OpenSSL
upstream.
Tests I've run for some months now indicate that the suggested
ciphersuite does not shut out common clients.
I also recommend to add this additional statement to ssl.conf:
# Server, not client, decides on cipher order -> enforce @STRENGTH
SSLHonorCipherOrder on
Moritz
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.17-1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.17-1_i386.deb
to main/a/apache2/apache2-dbg_2.2.17-1_i386.deb
apache2-doc_2.2.17-1_all.deb
to main/a/apache2/apache2-doc_2.2.17-1_all.deb
apache2-mpm-event_2.2.17-1_i386.deb
to main/a/apache2/apache2-mpm-event_2.2.17-1_i386.deb
apache2-mpm-itk_2.2.17-1_i386.deb
to main/a/apache2/apache2-mpm-itk_2.2.17-1_i386.deb
apache2-mpm-prefork_2.2.17-1_i386.deb
to main/a/apache2/apache2-mpm-prefork_2.2.17-1_i386.deb
apache2-mpm-worker_2.2.17-1_i386.deb
to main/a/apache2/apache2-mpm-worker_2.2.17-1_i386.deb
apache2-prefork-dev_2.2.17-1_i386.deb
to main/a/apache2/apache2-prefork-dev_2.2.17-1_i386.deb
apache2-suexec-custom_2.2.17-1_i386.deb
to main/a/apache2/apache2-suexec-custom_2.2.17-1_i386.deb
apache2-suexec_2.2.17-1_i386.deb
to main/a/apache2/apache2-suexec_2.2.17-1_i386.deb
apache2-threaded-dev_2.2.17-1_i386.deb
to main/a/apache2/apache2-threaded-dev_2.2.17-1_i386.deb
apache2-utils_2.2.17-1_i386.deb
to main/a/apache2/apache2-utils_2.2.17-1_i386.deb
apache2.2-bin_2.2.17-1_i386.deb
to main/a/apache2/apache2.2-bin_2.2.17-1_i386.deb
apache2.2-common_2.2.17-1_i386.deb
to main/a/apache2/apache2.2-common_2.2.17-1_i386.deb
apache2_2.2.17-1.diff.gz
to main/a/apache2/apache2_2.2.17-1.diff.gz
apache2_2.2.17-1.dsc
to main/a/apache2/apache2_2.2.17-1.dsc
apache2_2.2.17-1_i386.deb
to main/a/apache2/apache2_2.2.17-1_i386.deb
apache2_2.2.17.orig.tar.gz
to main/a/apache2/apache2_2.2.17.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 609...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Feb 2011 23:30:18 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork
apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec
apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev
apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.17-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 608488 609126
Changes:
apache2 (2.2.17-1) unstable; urgency=low
.
* New upstream version
* Disable md5 in mod_ssl default cipher suite. Closes: #609126
* Fix order of comments in "worker" section in apache2.conf. Closes: #608488
Checksums-Sha1:
ac922f5ae0859deac42fd5068c2c7d59a8220d3c 1796 apache2_2.2.17-1.dsc
965c2175bbbddce8ba22e76c14e26ebfe5e07451 6597991 apache2_2.2.17.orig.tar.gz
6b9f467acba90c563dbf4a67876a2a73854ba433 204557 apache2_2.2.17-1.diff.gz
ec58cd9499eba19d00f0a592b4e3b0c6dc5180b9 2308474 apache2-doc_2.2.17-1_all.deb
7697137607dc17f160c63a217054fd95fffdb48a 308050
apache2.2-common_2.2.17-1_i386.deb
47abd0e541c89c0eea1706ac1857e8d13f23e954 1347246
apache2.2-bin_2.2.17-1_i386.deb
0e23410930e9309720daf6450cf0d184162334e0 2226
apache2-mpm-worker_2.2.17-1_i386.deb
43d0a3703257878b159c85d9e72dd882cb036254 2276
apache2-mpm-prefork_2.2.17-1_i386.deb
a0b4639e9face21f551694a4cacd3778c82ccd51 2254
apache2-mpm-event_2.2.17-1_i386.deb
6c4d963530158e79fa3d22be4588bea338b2d179 2282 apache2-mpm-itk_2.2.17-1_i386.deb
9bffabf41ae9309512d2f6d39a121a5343faf192 165214 apache2-utils_2.2.17-1_i386.deb
1b4165aa23514232a4ffe15dec9efbb61e836c3e 99864 apache2-suexec_2.2.17-1_i386.deb
a17739ea28fcd490298620e97a4cfd6343d3a2d2 101308
apache2-suexec-custom_2.2.17-1_i386.deb
c7ab8818bc660eaebef45584317af8b374278d28 1388 apache2_2.2.17-1_i386.deb
fe318c47ac82844a6b1934b230e192b9aa409f7d 137346
apache2-prefork-dev_2.2.17-1_i386.deb
db064d5f4147e3b74d770ee6226780e5a654141d 138474
apache2-threaded-dev_2.2.17-1_i386.deb
52b0f86399bf2b754db4089b1b6037ea4ee1c062 2683254 apache2-dbg_2.2.17-1_i386.deb
Checksums-Sha256:
09a124a64e99a52c498c27028ca7e840f6fd5c715f1a44631ddf5882727162e5 1796
apache2_2.2.17-1.dsc
17c0aa66a704d04b4a1952eb3b077146104f923a53d602297e1def01344ac876 6597991
apache2_2.2.17.orig.tar.gz
389e76c1a098db43144afd82604438308f143e64429799f5493ad771881660e1 204557
apache2_2.2.17-1.diff.gz
1bfd62c5c4aae96f5574cbaef868307cd05e66df8df4e2f4b5b8ada329216f12 2308474
apache2-doc_2.2.17-1_all.deb
8e76550a59bf09caf18800f481c4f1355505da3c49e612d0d60b25eb6dda7fcc 308050
apache2.2-common_2.2.17-1_i386.deb
ea4a7534fb6e95760502542d31d67f4577d1554dae1a1f7cae9a29c763aa56ef 1347246
apache2.2-bin_2.2.17-1_i386.deb
4040acc0f7fc624c2dc94ea54bcbd2447cc17661fa77c72dd70c201dab4f5847 2226
apache2-mpm-worker_2.2.17-1_i386.deb
3e2d27e51e1af5451927ece6d4aee7cba0bacaffa28913e404499378030f69ec 2276
apache2-mpm-prefork_2.2.17-1_i386.deb
d5f260e7b4ce0b54a66b2129989ed3e131ce44892ddf31f60e0d902dbf0b66f2 2254
apache2-mpm-event_2.2.17-1_i386.deb
d64f4a990f014b9518b7b541b350f47395985b51b868113bda5fd0832ec266d8 2282
apache2-mpm-itk_2.2.17-1_i386.deb
1f85be15103ee6c59b225bb262a647d1afc8a42917d87788a39a9644d720aefb 165214
apache2-utils_2.2.17-1_i386.deb
a526f39790a4edbb1edd36adf0183701d0ae1930489c5f25afac1a1cec2a6531 99864
apache2-suexec_2.2.17-1_i386.deb
9ea46c88808c624b15eee23c3cd6a5bb5262b393cddcabd4c95cd097c4b8424d 101308
apache2-suexec-custom_2.2.17-1_i386.deb
248e95ace9594ae7aaf61b4e224d2f27c8212945ca39ebacf3db256f1c98fccd 1388
apache2_2.2.17-1_i386.deb
85fc0cbd556fc0cad121ae2abb3e087d79f288cfe91cd47dd848be2074c7c67e 137346
apache2-prefork-dev_2.2.17-1_i386.deb
790ebf47c53a979619fa86ccae7eaade9c3620278ffee72d222f80ea71349f1f 138474
apache2-threaded-dev_2.2.17-1_i386.deb
1bb486b1e1529d332e660c00315652d61fa064d786a066dfea15ca60f37db463 2683254
apache2-dbg_2.2.17-1_i386.deb
Files:
46f7bfe8127e8b70abd65ce5b84dcc40 1796 httpd optional apache2_2.2.17-1.dsc
66d8e107f85acc039fd5e624e85728a9 6597991 httpd optional
apache2_2.2.17.orig.tar.gz
8077022197ccdf2bd5920c183957e99c 204557 httpd optional apache2_2.2.17-1.diff.gz
58375e5d628dc61ede07980af019249a 2308474 doc optional
apache2-doc_2.2.17-1_all.deb
8757d7a40af7c5e6ec01ab979b8d1af3 308050 httpd optional
apache2.2-common_2.2.17-1_i386.deb
fed8703bfea800587edffe08444bb3f1 1347246 httpd optional
apache2.2-bin_2.2.17-1_i386.deb
d279a461c1ef6f784087ec0de3d2be8d 2226 httpd optional
apache2-mpm-worker_2.2.17-1_i386.deb
0bf080a7e18b8797b442c136646bf9a4 2276 httpd optional
apache2-mpm-prefork_2.2.17-1_i386.deb
48fd5cacd87ef9c963fffc0c96db029b 2254 httpd optional
apache2-mpm-event_2.2.17-1_i386.deb
000f11a615acf4f6271e138aa0f37d80 2282 httpd extra
apache2-mpm-itk_2.2.17-1_i386.deb
45769566a44bc859852f48e36dac8b02 165214 httpd optional
apache2-utils_2.2.17-1_i386.deb
9f28d84f4a08548330c7eb3c21a61a20 99864 httpd optional
apache2-suexec_2.2.17-1_i386.deb
9d2b9c9c9f98b31dda415c7904eea077 101308 httpd extra
apache2-suexec-custom_2.2.17-1_i386.deb
dce61593ecc55943bcb61ebd682f55ec 1388 httpd optional apache2_2.2.17-1_i386.deb
d0745c827cbd73f80b10e5b9f43e1edb 137346 httpd extra
apache2-prefork-dev_2.2.17-1_i386.deb
2e4628d15e73b0989582d32d1516654b 138474 httpd extra
apache2-threaded-dev_2.2.17-1_i386.deb
e9244b4ff459db9ca7ba19822652eba6 2683254 debug extra
apache2-dbg_2.2.17-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNWwA6bxelr8HyTqQRAjF0AJ9OR+fART16wLoqNqnUY16yPT2J1ACdHpkh
LDeSDoT7pZvfu2hA0HyY9Lk=
=+y6v
-----END PGP SIGNATURE-----
--- End Message ---