Re: Apache and TLS renegocitation

To: M.Drochner%fz-juelich.de@localhost (Matthias Drochner)
Subject: Re: Apache and TLS renegocitation
From: manu%netbsd.org@localhost (Emmanuel Dreyfus)
Date: Wed, 22 Jun 2011 09:44:44 +0200

Matthias Drochner <M.Drochner%fz-juelich.de@localhost> wrote:

> You could try to build apache against pkgsrc/openssl which is 0.9.8q
> and thus supports RFC5746.

Yes, that works.

FWIW, here are the interesting options to get a good score at Qualys'
SSL labs test at https://www.ssllabs.com/ssldb/index.html (assumed
certificate is not self signed and private key is long enough)

# Enable Strict-Transport-Security (means client should only use
HTTP/SSL)
Header set Strict-Transport-Security "max-age=15768000"

# Enable Session redumption (SSL speedup)
SSLSessionCache         dbm:/var/db/httpd/mod_ssl_scache
SSLSessionCacheTimeout  300

# Disable vulnerable SSLv2 and alorighms < 128 bits.
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

It seems enabling SSLv3 costs a few points. Is SSLv3 really vulnerable?
As I understand there are clients out of there that do not support
TLSv1, therefore disabling SSLv3 is a security vs compatibility tradeof.
Anyone is knowledgable about that?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost

References:
- Re: Apache and TLS renegocitation
  - From: Matthias Drochner

Prev by Date: Re: Apache and TLS renegocitation
Next by Date: Account Expire in 24hur
Previous by Thread: Re: Apache and TLS renegocitation
Next by Thread: Industrial catalog 21.5.2011
Indexes:

Home | Main Index | Thread Index | Old Index