From owner-freebsd-security@FreeBSD.ORG  Wed May  2 22:14:51 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1A9191065670
	for <freebsd-security@freebsd.org>;
	Wed,  2 May 2012 22:14:51 +0000 (UTC) (envelope-from feld@feld.me)
Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2])
	by mx1.freebsd.org (Postfix) with ESMTP id D6A898FC15
	for <freebsd-security@freebsd.org>;
	Wed,  2 May 2012 22:14:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me;
	s=blargle; 
	h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:To:Content-Type;
	bh=6rE5PifIincHx4VdU0xOxq7fvunHJ9q83RVfweRwEfI=; 
	b=kbqlcNQoN/gs+bKKVnf9oYV12UgW39eOT5l3PQ7twQYnv+yYfro95XRXo4SjnvlvhQMusNKfI/magAQlYsiDpPcR/F27e8Opv8sGH5oPATmvA8FFUlJrCIaKtAW0qEdu;
Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org)
	by feld.me with esmtp (Exim 4.77 (FreeBSD))
	(envelope-from <feld@feld.me>) id 1SPhot-0001vW-Hv
	for freebsd-security@freebsd.org; Wed, 02 May 2012 17:14:50 -0500
Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4)
	with esmtpa id 1335996881-30163-30162/5/46; Wed, 2 May 2012 22:14:41
	+0000
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: freebsd-security@freebsd.org
References: <CA+QLa9Asg0GkKKihhXLwpwOGz1T3u+JWhqo66L0M1denkeBq_Q@mail.gmail.com>
	<4FA12C1E.3030102@gmail.com> <201205022201.50506.matt@chronos.org.uk>
Date: Wed, 2 May 2012 17:14:41 -0500
Mime-Version: 1.0
From: Mark Felder <feld@feld.me>
Message-Id: <op.wdpb2rip34t2sn@tech304>
In-Reply-To: <201205022201.50506.matt@chronos.org.uk>
User-Agent: Opera Mail/11.62 (FreeBSD)
X-SA-Score: -1.5
Subject: Re: OpenSSL and Heimdal
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 22:14:51 -0000

On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson <matt@chronos.org.uk>  
wrote:

> mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher
> which secures SSLv3 against BEAST. This setup on my own HTTPS servers
> passes Qualys' own tests with an A rating of 87 and tells me BEAST is
> mitigated, although the thing still gives me an error on session
> resumption which I know damned well works. It's all there for server
> side in ports.

Why go out of your way and use mod_gnutls? You can simply set your SSL  
settings like this:

<IfModule ssl_module>
     SSLRandomSeed startup builtin
     SSLRandomSeed connect builtin
     SSLProtocol -ALL +SSLv3 +TLSv1
     SSLHonorCipherOrder     On
     SSLCipherSuite  
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>


And now you have a rating of 85 and no BEAST issues.