Commit ID: 1004FA7D5EA7396A66A
CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2012/05/07 14:05:20 UTC
Modified files:
usr.sbin/httpd/conf: httpd.conf
Log message:
CVE-2011-3389: disallow CBC ciphersuites for SSL entirely (short-term)
also add another ciphersuite re-enabling eDH, which should be combined
with unmasking the CBC fix from SSL_OP_ALL in mod_ssl (via an httpd.conf
option); possibly (?) with adding SSLHonorCipherOrder, although this
may let current-time clients drop PFS, so (considering that even MSIE 5.0
negotiates “TLS 1.0, RC4 with 128 bit encryption (High); RSA with 4096 bit
exchange” just fine it is a non-issue, so no SSLHonorCipherOrder I guess
(which also proves we don’t need SSLv3; TLSv1 works in IE5)
To generate a diff of this changeset, execute the following commands:
cvs -R rdiff -kk -upr1.17 -r1.18 src/usr.sbin/httpd/conf/httpd.conf
