Bug 704352 - Harden SSL cipher suites strength of the default configuration of the SSL part(included mod_ssl) of Apache2
Summary: Harden SSL cipher suites strength of the default configuration of the SSL pa...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 14
Hardware: i686
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-12 21:37 UTC by adimcev
Modified: 2011-05-13 08:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-13 08:06:16 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description adimcev 2011-05-12 21:37:37 UTC 
Description of problem:

Testing the default configuration of the SSL part(included mod_ssl)of Apache2 of Fedora 14(i686), SSL support enabled with system-config-httpd, was noted the following issue regarding the SSL cipher suite strength: weak cipher suites(DES based) are enabled. -> these should be disabled by default.

Test results:
http://www.carbonwind.net/blog/post/On-scope-default-SSLTLS-settings-shipped-on-various-Linux-distros-for-Apache-22x.aspx

Version-Release number of selected component (if applicable):
Apache 2.2.17

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Joe Orton 2011-05-13 08:06:16 UTC 
Thanks for the report - this is already done for F15.  We generally don't make changes to the default config for shipping releases.

F15 defaults:

  SSLProtocol all -SSLv2
  SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
Note You need to log in before you can comment on or make changes to this bug.