RE: [users@httpd] SSL vulnerability question

Mon, 18 Oct 2010 10:38:08 -0700 

Thanks Igor.

1 - Will eventually upgrade to latest, but wanted solution for 2.2.10 to fix in 
few days.
2- I don't see SSLProtocol property in config file for 2.2.10

3 - Thanks for the additional link. Will check it out.

Regards
Denise Edwards


-----Original Message-----
From: Igor Galić [mailto:i.ga...@brainsware.org] 
Sent: Monday, October 18, 2010 1:25 PM
To: users@httpd.apache.org
Subject: Re: [us...@httpd] SSL vulnerability question


----- "Denise Edwards" <denise.edwa...@bowne.com> wrote:

> Hi,
> 
> 
> 
> Received security can results which had two issues:
> 
> 1-SSL Server Supports Weak Encryption Vulnerability
> 
> 2-SSL Server Has SSLv2 Enabled Vulnerability
> 
> 
> 
> Two questions:
> 
> - Has anyone had to address these issues for their installation of
> Apache httpd

Yes.

> - If so what did you do?

Not what you did.

> 
> Background info:
> 
> - I'm using Apache httpd v2.2.10

Why not run the latest ;)

> - SSLCipherSuite property includes high, medium, low and SSLv2


And that's your problem.


SSLProtocol TLSv1 SSLv3
SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5

This config should be reasonably fast (at least with 2.3 ;)
and ``PCI DSSS compliant''

See Paul Querna's Overclocking mod_ssl article for more info:
http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/

 
> Regards
> 
> Denise


i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.ga...@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

CONFIDENTIALITY NOTICE: The information in this Internet email is confidential 
and may be legally privileged. It is intended solely for the addressee. Access 
to this email by anyone else is unauthorized. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to