51363 – Disable Anonymous ECDH ciphersuites by default

Bug 51363 - Disable Anonymous ECDH ciphersuites by default

Summary: Disable Anonymous ECDH ciphersuites by default

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.5-HEAD
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk

Depends on:
Blocks:

Reported:	2011-06-13 08:37 UTC by Rob Stradling
Modified:	2012-02-26 17:12 UTC (History)
CC List:	0 users

Attachments
Disable AECDH ciphersuites by default (629 bytes, application/octet-stream) 2011-06-13 08:37 UTC, Rob Stradling	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rob Stradling 2011-06-13 08:37:00 UTC

Created attachment 27152 [details]
Disable AECDH ciphersuites by default

The OpenSSL-1.x CHANGES file says that 'the ECC ciphersuites are no longer excluded from "ALL" and "DEFAULT".'

The default SSLCipherSuite directive (docs/conf/extra/httpd-ssl.conf.in)...
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
...enables ALL, and then disables anonymous DH but not anonymous ECDH.

I presume that the intended behaviour is that all anonymous ciphersuites should be disabled by default, so I think ":!AECDH" should be added after ":!ADH".

Trivial patch attached.

Comment 1 Stefan Fritsch 2011-06-13 19:31:40 UTC

Fixed in trunk in r1135234 by using !aNULL. Updated docs in r1135241.

Comment 2 Rob Stradling 2011-06-14 07:47:36 UTC

Thanks Stefan.  I agree that !aNULL is more appropriate than !ADH:!AECDH.

Comment 3 Stefan Fritsch 2012-02-26 17:12:10 UTC

fixed in 2.4.1 and 2.2.22