From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203 Description of problem: The supplied /etc/httpd/conf.d/ssl.conf sets SSLCipherSuite to include the eNULL cipher suite. This is a security risk - if both ends of an SSL connection support eNULL than an attacker can convince them that only these ciphers are available and cause them to negotiate a connection using no encryption. eNULL should therefore be disabled by default. Version-Release number of selected component (if applicable): mod_ssl.2.0.40-21.3 How reproducible: Always Steps to Reproduce: 1.Look at /etc/httpd/conf.d/ssl.conf 2. 3. Actual Results: SSLCipherSuite contains eNULL Expected Results: SSLCipherSuite should not contain eNULL Additional info:
Thanks for the report.
While I stand by the statement that having eNULL as an available cipher suite is a bad idea, it looks as if my assertion that an attacker could cause this to be selected in preference to 'real' cipher suites is incorrect. On double checking, I find that SSL correctly protects itself against man-in-th-middle tampering of the initial handshake (which includes the choice of cipher suite). I still think that this is a bug, but you can probably down-grade the severity.
This is fixed in Raw Hide, mod_ssl-2.0.47-4 and later.