On 9/29/2011 9:31 AM, Rainer Jung wrote: > In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389) I suggest > we update our SSL configuration analogous to what's in trunk. > > - Choose a better default SSLCipherSuite > - Add SSLHonorCipherOrder > - restrict MSIE exceptions to MSIE 2-5
-1 in this respect; faster is not more secure. We must default to setting the strictest cipher choices, with a commented-out "this is faster, but far less secure" alternative for those with less targeted assets. If someone is enabling mod_ssl, it is to secure their traffic, not to speed up their server. And no, MD4, although immune to *this* vector, is simply not preferable.
