Bug 156987 - www/apache22: Harden SSL cipher suites strength and SSL protocol support of /usr/local/etc/apache/extra/httpd-ssl.conf
Summary: www/apache22: Harden SSL cipher suites strength and SSL protocol support of /...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Philip M. Gollucci
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-12 22:20 UTC by Adrian Dimcev
Modified: 2012-01-18 03:50 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian Dimcev 2011-05-12 22:20:08 UTC 
Testing the default configuration of the SSL part (included mod_ssl) of
apache2 of FreeBSD 8.2 (i386) was noted that the default
/usr/local/etc/apache/extra/httpd-ssl.conf configuration regarding SSL
cipher suite strength and SSL protocol support is pretty bad: SSL 2.0
is enabled, weak cipher suites (DES based) and export cipher suites
(including RC2 based ones) are enabled. -> these should be disabled
by default.

Test results:
http://www.carbonwind.net/blog/post/On-scope-default-SSLTLS-settings-shipped-on-various-Linux-distros-for-Apache-22x.aspx
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2011-05-13 05:06:52 UTC 
State Changed
From-To: open->feedback

to which port does this PR apply?
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2011-05-13 05:06:52 UTC 
Responsible Changed
From-To: freebsd-i386->freebsd-ports-bugs
Comment 3 Adrian Dimcev 2011-05-13 14:17:51 UTC 
Installation details:

pkg_info
apache-2.2.17_1     Version 2.2.x of Apache web server with prefork MPM.

pkg_version
apache                              =

uname -a
FreeBSD freebsd.example.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb
18 02:24:46 UTC 2011    
root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2011-05-29 06:43:30 UTC 
State Changed
From-To: feedback->open
Comment 5 Mark Linimon freebsd_committer freebsd_triage 2011-05-29 06:43:30 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->apache
Comment 6 Philip M. Gollucci freebsd_committer freebsd_triage 2012-01-17 05:44:13 UTC 
Responsible Changed
From-To: apache->pgollucci

I will take it.
Comment 7 dfilter service freebsd_committer freebsd_triage 2012-01-18 03:44:48 UTC 
pgollucci    2012-01-18 03:44:39 UTC

  FreeBSD ports repository

  Modified files:
    www/apache22/files   
                         patch-docs__conf__extra__httpd-ssl.conf.in 
  Log:
  - Pull r1227293 from httpd svn
    Note, you have to actually uncomment the include for this to take affect
  - No PORTREVISION bump since nothing changes by default
  
  PR:             ports/156987
  Reported by:    Adrian Dimcev <adimcev@carbonwind.net>
  With Hat:       apache@
  
  Revision  Changes    Path
  1.2       +40 -20    ports/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 8 Philip M. Gollucci freebsd_committer freebsd_triage 2012-01-18 03:46:49 UTC 
State Changed
From-To: open->closed

Committed, Thanks!