Bug 51363

Summary: Disable Anonymous ECDH ciphersuites by default
Product: Apache httpd-2 Reporter: Rob Stradling <rob>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Disable AECDH ciphersuites by default

Description Rob Stradling 2011-06-13 08:37:00 UTC 
Created attachment 27152 [details]
Disable AECDH ciphersuites by default

The OpenSSL-1.x CHANGES file says that 'the ECC ciphersuites are no longer excluded from "ALL" and "DEFAULT".'

The default SSLCipherSuite directive (docs/conf/extra/httpd-ssl.conf.in)...
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
...enables ALL, and then disables anonymous DH but not anonymous ECDH.

I presume that the intended behaviour is that all anonymous ciphersuites should be disabled by default, so I think ":!AECDH" should be added after ":!ADH".

Trivial patch attached.
Comment 1 Stefan Fritsch 2011-06-13 19:31:40 UTC 
Fixed in trunk in r1135234 by using !aNULL. Updated docs in r1135241.
Comment 2 Rob Stradling 2011-06-14 07:47:36 UTC 
Thanks Stefan.  I agree that !aNULL is more appropriate than !ADH:!AECDH.
Comment 3 Stefan Fritsch 2012-02-26 17:12:10 UTC 
fixed in 2.4.1 and 2.2.22