Thanks Igor. 1 - Will eventually upgrade to latest, but wanted solution for 2.2.10 to fix in few days. 2- I don't see SSLProtocol property in config file for 2.2.10
3 - Thanks for the additional link. Will check it out. Regards Denise Edwards -----Original Message----- From: Igor Galić [mailto:[email protected]] Sent: Monday, October 18, 2010 1:25 PM To: [email protected] Subject: Re: [us...@httpd] SSL vulnerability question ----- "Denise Edwards" <[email protected]> wrote: > Hi, > > > > Received security can results which had two issues: > > 1-SSL Server Supports Weak Encryption Vulnerability > > 2-SSL Server Has SSLv2 Enabled Vulnerability > > > > Two questions: > > - Has anyone had to address these issues for their installation of > Apache httpd Yes. > - If so what did you do? Not what you did. > > Background info: > > - I'm using Apache httpd v2.2.10 Why not run the latest ;) > - SSLCipherSuite property includes high, medium, low and SSLv2 And that's your problem. SSLProtocol TLSv1 SSLv3 SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5 This config should be reasonably fast (at least with 2.3 ;) and ``PCI DSSS compliant'' See Paul Querna's Overclocking mod_ssl article for more info: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/ > Regards > > Denise i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: [email protected] URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected] CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected]
