[Building Sakai] SSL Ciphers in production
Kirschner, Beth
bkirschn at umich.edu
Thu Jan 8 07:34:48 PST 2015
We've been reviewing our production setup for security issues, and have noticed that our Apache HTTP server supports several insecure SSL ciphers -- I'm curious as to whether anyone else explicitly supports these ciphers, or if anyone has explicitly turned them off -- we're looking for advice and/or comments on how others configure Apache for SSL ciphers:
> TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
> TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128
> TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
> TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
> TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x60) WEAK 56
> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62) WEAK 56
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64) WEAK 56
We're hesitant to turn them off, since we're not sure if they're broadly used by browsers or clients (either within the US or internationally).
Our Apache HTTP server configuration (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite) looks like this:
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol all -SSLv2 -SSLv3
Thanks,
- Beth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20150108/f82fce41/attachment.html
More information about the sakai-dev
mailing list