cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Benny Baumann <benbe AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org, Critical Admins <critical-admin AT cacert.org>, Michael Ebeling <micha_ebeling AT mail36.net>
- Subject: Re: Apache cipher suite configuration
- Date: Tue, 11 Mar 2014 09:44:21 +0100
Am 10.03.2014 18:50, schrieb Michael Tänzer:
> Hi Guys,
>
> if you haven't already done so you probably should add the following
> configuration to /etc/apache2/mods-available/ssl.conf on the servers
> administered by you:
>
> # CAcert cipher suite configuration
> SSLHonorCipherOrder on
> SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:+3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
I'd also kick 3DES and SEED. The former because of attacks on the edge
of practicality for a large attacker, the latter for little information
on the cipher and few cipher suites based on it.
When configuring Apache take care to use 2.2.35 or 2.4.7 with __recent__
OpenSSL 1.0.1f (sometimes OpenSSL 1.0.1e with some distro-stuff behind
for patchlevel).
Regards,
BenBE.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Apache cipher suite configuration, Michael Tänzer, 03/10/2014
- Re: Apache cipher suite configuration, Benny Baumann, 03/11/2014
Archive powered by MHonArc 2.6.18.