[Building Sakai] SSL Ciphers in production
Sam Ottenhoff
ottenhoff at longsight.com
Thu Jan 8 07:57:48 PST 2015
On Thu, Jan 8, 2015 at 10:34 AM, Kirschner, Beth <bkirschn at umich.edu> wrote:
> We've been reviewing our production setup for security issues, and have
> noticed that our Apache HTTP server supports several insecure SSL ciphers
> -- I'm curious as to whether anyone else explicitly supports these ciphers,
> or if anyone has explicitly turned them off -- we're looking for advice
> and/or comments on how others configure Apache for SSL ciphers:
>
Yes, we have disabled weak ciphers and have put strong (forward secrecy)
ciphers at the front of the list for preferred ciphers.
At the very least, MD5 should be long gone from your cipher list and RC4
should be at the bottom of your preferred list (for compatibility) or
totally removed because it's broken (
https://twitter.com/ioerror/status/398059565947699200).
We're hesitant to turn them off, since we're not sure if they're broadly
> used by browsers or clients (either within the US or internationally).
>
I don't think anyone can be hesitant anymore because of wanting to support
a user with WinXP/IE6 and no service packs. We have to assume that a MITM
attacker can *downgrade* your strong cipher to the weakest cipher
supported.... and if the weakest cipher supported is broken, then game over.
>
> Our Apache HTTP server configuration (
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite) looks
> like this:
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
> SSLProtocol all -SSLv2 -SSLv3
>
Are you sure this is in prod? It sure seems like you are still supporting
broken SSLv3!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20150108/0c590200/attachment.html
More information about the sakai-dev
mailing list