Date: Wed, 2 May 2012 17:14:41 -0500 From: Mark Felder <feld@feld.me> To: freebsd-security@freebsd.org Subject: Re: OpenSSL and Heimdal Message-ID: <op.wdpb2rip34t2sn@tech304> In-Reply-To: <201205022201.50506.matt@chronos.org.uk> References: <CA%2BQLa9Asg0GkKKihhXLwpwOGz1T3u%2BJWhqo66L0M1denkeBq_Q@mail.gmail.com> <4FA12C1E.3030102@gmail.com> <201205022201.50506.matt@chronos.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson <matt@chronos.org.uk>
wrote:
> mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher
> which secures SSLv3 against BEAST. This setup on my own HTTPS servers
> passes Qualys' own tests with an A rating of 87 and tells me BEAST is
> mitigated, although the thing still gives me an error on session
> resumption which I know damned well works. It's all there for server
> side in ports.
Why go out of your way and use mod_gnutls? You can simply set your SSL
settings like this:
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</IfModule>
And now you have a rating of 85 and no BEAST issues.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wdpb2rip34t2sn>