From owner-freebsd-i386@FreeBSD.ORG Thu May 12 21:20:09 2011 Return-Path: Delivered-To: freebsd-i386@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 570871065678 for ; Thu, 12 May 2011 21:20:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 19D2A8FC24 for ; Thu, 12 May 2011 21:20:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p4CLK8SV090821 for ; Thu, 12 May 2011 21:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p4CLK8cf090820; Thu, 12 May 2011 21:20:08 GMT (envelope-from gnats) Resent-Date: Thu, 12 May 2011 21:20:08 GMT Resent-Message-Id: <201105122120.p4CLK8cf090820@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Adrian Dimcev Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76B29106564A for ; Thu, 12 May 2011 21:18:17 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 65FC98FC08 for ; Thu, 12 May 2011 21:18:17 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4CLIHlA016309 for ; Thu, 12 May 2011 21:18:17 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p4CLIHjL016308; Thu, 12 May 2011 21:18:17 GMT (envelope-from nobody) Message-Id: <201105122118.p4CLIHjL016308@red.freebsd.org> Date: Thu, 12 May 2011 21:18:17 GMT From: Adrian Dimcev To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: i386/156987: Harden SSL cipher suites strength and SSL protocol support of /usr/local/etc/apache/extra/httpd-ssl.conf X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2011 21:20:09 -0000 >Number: 156987 >Category: i386 >Synopsis: Harden SSL cipher suites strength and SSL protocol support of /usr/local/etc/apache/extra/httpd-ssl.conf >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu May 12 21:20:08 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Adrian Dimcev >Release: FreeBSD-8.2-RELEASE-i386 >Organization: >Environment: >Description: Testing the default configuration of the SSL part(included mod_ssl)of Apache2 of FreeBSD 8.2(i386) was noted that the default /usr/local/etc/apache/extra/httpd-ssl.conf configuration regarding SSL cipher suite strength and SSL protocol support is pretty bad: SSL 2.0 is enabled, weak cipher suites(DES based) and export cipher suites(including RC2 based ones) are enabled. -> these should be disabled by default. Test results: http://www.carbonwind.net/blog/post/On-scope-default-SSLTLS-settings-shipped-on-various-Linux-distros-for-Apache-22x.aspx >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: