Bug 51363 - Disable Anonymous ECDH ciphersuites by default
Summary: Disable Anonymous ECDH ciphersuites by default
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
Depends on:
Reported: 2011-06-13 08:37 UTC by Rob Stradling
Modified: 2012-02-26 17:12 UTC (History)
0 users

Disable AECDH ciphersuites by default (629 bytes, application/octet-stream)
2011-06-13 08:37 UTC, Rob Stradling

Note You need to log in before you can comment on or make changes to this bug.
Description Rob Stradling 2011-06-13 08:37:00 UTC
Created attachment 27152 [details]
Disable AECDH ciphersuites by default

The OpenSSL-1.x CHANGES file says that 'the ECC ciphersuites are no longer excluded from "ALL" and "DEFAULT".'

The default SSLCipherSuite directive (docs/conf/extra/httpd-ssl.conf.in)...
...enables ALL, and then disables anonymous DH but not anonymous ECDH.

I presume that the intended behaviour is that all anonymous ciphersuites should be disabled by default, so I think ":!AECDH" should be added after ":!ADH".

Trivial patch attached.
Comment 1 Stefan Fritsch 2011-06-13 19:31:40 UTC
Fixed in trunk in r1135234 by using !aNULL. Updated docs in r1135241.
Comment 2 Rob Stradling 2011-06-14 07:47:36 UTC
Thanks Stefan.  I agree that !aNULL is more appropriate than !ADH:!AECDH.
Comment 3 Stefan Fritsch 2012-02-26 17:12:10 UTC
fixed in 2.4.1 and 2.2.22