Isn't it safer to only accept explicit entries, like
SSLCipherSuite -ALL:RC4-SHA:AES128-SHA:TLSv1+HIGH:SSLv3+HIGH:-aNULL
SSLProtocol -ALL +SSLv3 +TLSv1
Nick
On 13/11/2011 11:47, Kaspar Brand wrote:
On 07.10.2011 07:10, William A. Rowe Jr. wrote:
Exactly... we should default to a server with a preference for cryptographic
strength, but I have no objection to offering a commented-out, clearly
documented 'alternative' configuration favoring performance, provided that
is clearly labeled as 'not for sensitive data'.
Now that the dust after the "BEAST" bang has settled somewhat (and
it's clear that it needs to / will be fixed on the client side [1][2][3]),
I think it's a good time to revisit the default setting for
SSLCipherSuite - at least for trunk and 2.4.
My proposal is something like the attached patch - thoughts, objections?
Kaspar
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=665814
[2] http://codereview.chromium.org/7621002/
[3] http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
