506924 – www-servers/apache weak default SSLCipherSuite

Bug 506924 - www-servers/apache weak default SSLCipherSuite

Summary: www-servers/apache weak default SSLCipherSuite

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Patrick Lauer

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-06 13:04 UTC by cnu
Modified:	2014-04-20 21:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description cnu 2014-04-06 13:04:40 UTC

Hello! The file gentoo-apache-2.2.23/conf/vhosts.d/00_default_ssl_vhost.conf uses what I've been told is a very weak cipher suite:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

I hope you can check it out as I have no idea what all those fancy words mean :) I changed mine to the one recommended by Mozilla now [1], hoping they are wiser than me.

[1] https://wiki.mozilla.org/Security/Server_Side_TLS

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev

2014-04-19 20:29:20 UTC

Resigning to the maintainers, sorry about the delay.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-04-20 16:46:40 UTC

This was now committed to our apache git repository:

http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commitdiff;h=9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-04-20 21:28:18 UTC

+*apache-2.4.9-r1 (20 Apr 2014)
+*apache-2.2.27-r1 (20 Apr 2014)
+
+  20 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.26.ebuild,
+  +apache-2.2.27-r1.ebuild, -apache-2.4.9.ebuild, +apache-2.4.9-r1.ebuild:
+  Revbump fixing bug #506924 and bug #507324. Removed old.
+