My current Apache SSL cipher settings
Like a number of other security protocols, TLS (aka SSL) comes in several generations and offers a large selection of potential ciphers. Many of these options are actually a bad idea from a security perspective; the ciphers are weak or use things that have been broken, and older versions of SSL have known weaknesses. By default, Apache's mod_ssl enables them all and even sometimes defaults to (very) bad choices, all in the vague name of accommodating some export version of a browser from 1997 that might perhaps show up some day and be unable to do any version of SSL since then.
(More realistically, the mod_ssl defaults were probably set ten years or more ago and have not really been changed since then for all sorts of reasons. Well, actually these are more like the OpenSSL defaults, since mod_ssl defers most of these decisions to OpenSSL.)
I've recently decided to start changing that in our Apache SSL configurations, partly prompted by this and this (PDF). My current settings are to not support SSL v2 at all, disallow 'export' ciphers, which were deliberately made really weak so that they could be easily decrypted, and disallow everything that OpenSSL considers a low-strength cipher (which actually includes export ciphers).
Specifically, I'm setting:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
This is more or less researched from the Apache documentation. It's tempting to explicitly disallow MD5, although I don't know if this is just superstition.
Now, two cautions apply here. First, our SSL sites are by and large for internal use, so I can afford to be somewhat casual about how many ciphers I support; if this turns out to be a too small set, I will hear about it. Second, our web servers are nowhere near CPU constrained so I don't care very much about which good cipher is the most CPU-efficient; a more active site might well.
(Considering that SSLv3 dates from 1996, disabling SSLv2 should be really quite safe by now.)
It would be nice (I say wistfully) if software like mod_ssl would come preconfigured with a sensible and limited set of ciphers and perhaps notes on really ancient software that's known to require you to use less than ideal cipher choices.
(Partly I am writing all of this down now so that I have a reference for it later.)
|
|