From 87889f3a6e54cbcb0ca9102a2a7353bf52704e33 Mon Sep 17 00:00:00 2001 From: Alexander Chernyakhovsky Date: Mon, 25 Mar 2013 17:53:25 -0400 Subject: [PATCH] Do better at SSL/TLS with only strong ciphers --- debian/changelog | 11 +++++++++++ files/etc/apache2/sites-available/ssl.mako | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/debian/changelog b/debian/changelog index d06551f..c7681e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +invirt-web (0.1.26) unstable; urgency=low + + * Add SSLCertificateChainFile to port :446, which was configured + separately. + * Remove SSLv2 support. + * Add a list of only strong ciphers, imported from the scripts.mit.edu + configuration. These ciphers should be updated to include the new TLS + 1.1 and 1.2 suites once they become available. + + -- Alexander Chernyakhovsky Mon, 25 Mar 2013 17:51:35 -0400 + invirt-web (0.1.25) unstable; urgency=low * Add SSLCertificateChainFile, pointing to the certificate file, to diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako index f4360db..6b7e414 100644 --- a/files/etc/apache2/sites-available/ssl.mako +++ b/files/etc/apache2/sites-available/ssl.mako @@ -49,6 +49,8 @@ ${caller.body()} SSLVerifyDepth 10 SSLOptions +StdEnvVars + SSLProtocol all -SSLv2 + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 @@ -111,6 +113,8 @@ ${caller.body()} SSLVerifyClient none SSLOptions +StdEnvVars + SSLProtocol all -SSLv2 + SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 -- 1.7.9.5