Hi. I'm using Apache 2.2.22 and 2.2.16... and I wondered how vulnerable I'm for the BEAST and CRIME attacks...
wrt to BEAST: I know most browsers fix that already,... but I'd rather have it really enforced by the server. Further I would not prefer to disable my AES or enabled RC4 at all. Also there are sources on the web which claim that RC4 would be actually more secure than AES. There are also sources (e.g. http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely ) which claim that that is a non-issue as it was fixed in openssl for all ciphers What's the status on CRIME? And are there any other things one should consider when configuring mod_SSL? Should one disable SSL3 and (once I upgraded to newer apache versions) the older TLS versions... if all users support the new ones? Thanks, Chris. I'm using this mod_ssl configuration: ##SSLPassPhraseDialog builtin ##SSLFIPS off ##SSLInsecureRenegotiation off SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ##SSLCryptoDevice builtin SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) ##SSLSessionCacheTimeout 300 ##SSLRenegBufferSize 131072 SSLProtocol TLSv1 +SSLv3 SSLCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:!GOST94:! IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS:+DH: +CAMELLIA SSLStrictSNIVHostCheck on SSLHonorCipherOrder on SSLOptions strictRequire ##SSLVerifyClient none ##SSLVerifyDepth 1 SSLProxyProtocol TLSv1 +SSLv3 SSLProxyCipherSuite !FZA:!ADH:!kGOST:!eNULL:!aNULL:!aGOST:!SEED:! GOST94:!IDEA:!RC2:!RC4:!DES:!3DES:!MD5:!GOST89MAC:HIGH:@STRENGTH:+DSS: +DH:+CAMELLIA SSLProxyVerify require ##SSLProxyVerifyDepth 1 SSLProxyCheckPeerCN on SSLProxyCheckPeerExpire on
smime.p7s
Description: S/MIME cryptographic signature
