pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Apache and TLS renegocitation

Matthias Drochner <> wrote:

> You could try to build apache against pkgsrc/openssl which is 0.9.8q
> and thus supports RFC5746.

Yes, that works.

FWIW, here are the interesting options to get a good score at Qualys'
SSL labs test at (assumed
certificate is not self signed and private key is long enough)

# Enable Strict-Transport-Security (means client should only use
Header set Strict-Transport-Security "max-age=15768000"

# Enable Session redumption (SSL speedup)
SSLSessionCache         dbm:/var/db/httpd/mod_ssl_scache
SSLSessionCacheTimeout  300

# Disable vulnerable SSLv2 and alorighms < 128 bits.
SSLProtocol all -SSLv2

It seems enabling SSLv3 costs a few points. Is SSLv3 really vulnerable?
As I understand there are clients out of there that do not support
TLSv1, therefore disabling SSLv3 is a security vs compatibility tradeof.
Anyone is knowledgable about that?

Emmanuel Dreyfus

Home | Main Index | Thread Index | Old Index