From 87889f3a6e54cbcb0ca9102a2a7353bf52704e33 Mon Sep 17 00:00:00 2001
From: Alexander Chernyakhovsky <achernya@mit.edu>
Date: Mon, 25 Mar 2013 17:53:25 -0400
Subject: [PATCH 1/1] Do better at SSL/TLS with only strong ciphers

---
 debian/changelog                           |   11 +++++++++++
 files/etc/apache2/sites-available/ssl.mako |    4 ++++
 2 files changed, 15 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d06551f..c7681e7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+invirt-web (0.1.26) unstable; urgency=low
+
+  * Add SSLCertificateChainFile to port :446, which was configured
+    separately.
+  * Remove SSLv2 support.
+  * Add a list of only strong ciphers, imported from the scripts.mit.edu
+    configuration.  These ciphers should be updated to include the new TLS
+    1.1 and 1.2 suites once they become available.
+
+ -- Alexander Chernyakhovsky <achernya@mit.edu>  Mon, 25 Mar 2013 17:51:35 -0400
+
 invirt-web (0.1.25) unstable; urgency=low
 
   * Add SSLCertificateChainFile, pointing to the certificate file, to
diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index f4360db..6b7e414 100644
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -49,6 +49,8 @@ ${caller.body()}
 	SSLVerifyDepth 10
 
 	SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
 	
 	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
@@ -111,6 +113,8 @@ ${caller.body()}
 	SSLVerifyClient none
 
 	SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
 	
 	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0	
 </VirtualHost>
-- 
1.7.9.5