Summary: | Disable Anonymous ECDH ciphersuites by default | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Rob Stradling <rob> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Keywords: | FixedInTrunk |
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: | Disable AECDH ciphersuites by default |
Thanks Stefan. I agree that !aNULL is more appropriate than !ADH:!AECDH. fixed in 2.4.1 and 2.2.22 |
Created attachment 27152 [details] Disable AECDH ciphersuites by default The OpenSSL-1.x CHANGES file says that 'the ECC ciphersuites are no longer excluded from "ALL" and "DEFAULT".' The default SSLCipherSuite directive (docs/conf/extra/httpd-ssl.conf.in)... SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL ...enables ALL, and then disables anonymous DH but not anonymous ECDH. I presume that the intended behaviour is that all anonymous ciphersuites should be disabled by default, so I think ":!AECDH" should be added after ":!ADH". Trivial patch attached.