Package: apache2 Version: 2.4.9-1 Severity: wishlist Tags: patch In apache version 2.4, mods-available/ssl.conf no longer contains any hint about using SSLHonorCipherOrder. (2.2 hint was bad anyways).
Default is to honor client choices by preference, not to honor server cipher order. However, many clients use weak choices. For example, iceweasel 24.2 prefer AES-128 over AES-256. (see security/nss/lib/ssl/sslenum.c in iceweasel-24.4.0esr). You can test clients choices here: https://www.ssllabs.com/ssltest/viewMyClient.html chromium prefers AES-128 over AES-256 too in many cases. For that reason, if you have a server with enough CPU power and want a good encryption, for example a banking institution, you will want to prefer server order, which is strongest choices first. You can test your favorite server here: https://www.ssllabs.com/ssltest/analyze.html The apache documentation is here: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslhonorcipherorder So I suggest we add these comments in ssl.conf : # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. Clients usually # prefer low grade encryption. # You should enable that option if you want stronger encryption, and can # afford the CPU cost, and did not override SSLCipherSuite in a bad way. # Default: Off #SSLHonorCipherOrder on It might be a good idea to improve apache2-doc upstream, too. Actually, I wouldn't scream if that would be the default, but adding documentation is a good first step. ;) -- Package-specific info: -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2 depends on: ii apache2-bin 2.4.9-1 ii apache2-data 2.4.9-1 ii lsb-base 4.1+Debian12 ii mime-support 3.54 ii perl 5.18.2-2+b1 ii procps 1:3.3.9-2 Versions of packages apache2 recommends: ii ssl-cert 1.0.33 Versions of packages apache2-bin depends on: ii libapr1 1.5.0-1 ii libaprutil1 1.5.3-1+b1 ii libaprutil1-dbd-sqlite3 1.5.3-1+b1 ii libaprutil1-ldap 1.5.3-1+b1 ii libc6 2.18-4 ii libldap-2.4-2 2.4.39-1 ii liblua5.1-0 5.1.5-5 ii libpcre3 1:8.31-5 ii libssl1.0.0 1.0.1g-3 ii libxml2 2.9.1+dfsg1-3 ii perl 5.18.2-2+b1 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii chromium [www-browser] 34.0.1847.116-2 ii iceweasel [www-browser] 24.4.0esr-1 ii lynx-cur [www-browser] 2.8.8pre5-1 ii w3m [www-browser] 0.5.3-15 Versions of packages apache2 is related to: ii apache2 2.4.9-1 ii apache2-bin 2.4.9-1 -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
