Do better at SSL/TLS with only strong ciphers

diff --git a/debian/changelog b/debian/changelog
index d06551f..c7681e7 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+invirt-web (0.1.26) unstable; urgency=low
+
+  * Add SSLCertificateChainFile to port :446, which was configured
+    separately.
+  * Remove SSLv2 support.
+  * Add a list of only strong ciphers, imported from the scripts.mit.edu
+    configuration.  These ciphers should be updated to include the new TLS
+    1.1 and 1.2 suites once they become available.
+
+ -- Alexander Chernyakhovsky <achernya@mit.edu>  Mon, 25 Mar 2013 17:51:35 -0400
+
 invirt-web (0.1.25) unstable; urgency=low
 
   * Add SSLCertificateChainFile, pointing to the certificate file, to

diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index f4360db..6b7e414 100644 (file)
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -49,6 +49,8 @@ ${caller.body()}
        SSLVerifyDepth 10
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
@@ -111,6 +113,8 @@ ${caller.body()}
        SSLVerifyClient none
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0        
 </VirtualHost>