On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson <[email protected]>
wrote:
mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher
which secures SSLv3 against BEAST. This setup on my own HTTPS servers
passes Qualys' own tests with an A rating of 87 and tells me BEAST is
mitigated, although the thing still gives me an error on session
resumption which I know damned well works. It's all there for server
side in ports.
Why go out of your way and use mod_gnutls? You can simply set your SSL
settings like this:
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
And now you have a rating of 85 and no BEAST issues.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
