Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 May 2012 17:14:41 -0500
From:      Mark Felder <feld@feld.me>
To:        freebsd-security@freebsd.org
Subject:   Re: OpenSSL and Heimdal
Message-ID:  <op.wdpb2rip34t2sn@tech304>
In-Reply-To: <201205022201.50506.matt@chronos.org.uk>
References:  <CA%2BQLa9Asg0GkKKihhXLwpwOGz1T3u%2BJWhqo66L0M1denkeBq_Q@mail.gmail.com> <4FA12C1E.3030102@gmail.com> <201205022201.50506.matt@chronos.org.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson <matt@chronos.org.uk>  
wrote:

> mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher
> which secures SSLv3 against BEAST. This setup on my own HTTPS servers
> passes Qualys' own tests with an A rating of 87 and tells me BEAST is
> mitigated, although the thing still gives me an error on session
> resumption which I know damned well works. It's all there for server
> side in ports.

Why go out of your way and use mod_gnutls? You can simply set your SSL  
settings like this:

<IfModule ssl_module>
     SSLRandomSeed startup builtin
     SSLRandomSeed connect builtin
     SSLProtocol -ALL +SSLv3 +TLSv1
     SSLHonorCipherOrder     On
     SSLCipherSuite  
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>


And now you have a rating of 85 and no BEAST issues.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wdpb2rip34t2sn>