Merge lp:~hloeung/charms/precise/apache2/ssl-security-options into lp:charms/apache2
Status: | Merged |
---|---|
Merged at revision: | 60 |
Proposed branch: | lp:~hloeung/charms/precise/apache2/ssl-security-options |
Merge into: | lp:charms/apache2 |
Diff against target: |
75 lines (+27/-0) 5 files modified
.bzrignore (+1/-0) README.md (+5/-0) config.yaml (+12/-0) data/security.template (+6/-0) hooks/hooks.py (+3/-0) |
To merge this branch: | bzr merge lp:~hloeung/charms/precise/apache2/ssl-security-options |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Adam Israel (community) | Approve | ||
Review Queue (community) | automated testing | Needs Fixing | |
Charles Butler (community) | Needs Fixing | ||
Review via email: mp+233877@code.launchpad.net |
Description of the change
Add option to override supported cipher suites, enforce server's preference instead of browser/client, and reorder by default so:
- PFS cipher suites are more preferred.
- for performance and to keep computation low on servers, prefer 128bits over 256bits.
We also want to keep RC4-SHA for IE6/XP clients and ignore all LOW cipher suites or those where there's potential weaknesses such as DSS and 3DES. I've also used generics such as EECDH, EDH, HIGH, MEDIUM, and LOW so that it is more future-proof as more cipher suites are added or moved between HIGH/MEDIUM/LOW.
Apache docs says the default is "ALL:!ADH:
$ diff -Naurp <(openssl ciphers -V 'ALL:!ADH:
--- /dev/fd/63 2014-09-09 17:16:42.124195525 +1000
+++ /dev/fd/62 2014-09-09 17:16:42.124195525 +1000
- 0x00,0x03 - EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
- 0x00,0x04 - RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
- 0x00,0x06 - EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
- 0x00,0x08 - EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
- 0x00,0x09 - DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
- 0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
- 0x00,0x11 - EXP-EDH-
- 0x00,0x12 - EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
- 0x00,0x13 - EDH-DSS-
- 0x00,0x14 - EXP-EDH-
- 0x00,0x15 - EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
- 0x00,0x16 - EDH-RSA-
- 0x00,0x32 - DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
- 0x00,0x38 - DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
- 0x00,0x40 - DHE-DSS-
- 0x00,0x44 - DHE-DSS-
- 0x00,0x6A - DHE-DSS-
- 0x00,0x87 - DHE-DSS-
- 0x00,0x8A - PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
- 0x00,0x8B - PSK-3DES-
- 0x00,0x8C - PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
- 0x00,0x8D - PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
- 0x00,0x96 - SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
- 0x00,0x99 - DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
- 0x00,0x9A - DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
- 0x00,0xA2 - DHE-DSS-
- 0x00,0xA3 - DHE-DSS-
- 0xC0,0x02 - ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
- 0xC0,0x03 - ECDH-ECDSA-
- 0xC0,0x07 - ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
- 0xC0,0x08 - ECDHE-ECDSA-
- 0xC0,0x0C - ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
- 0xC0,0x0D - ECDH-RSA-
- 0xC0,0x11 - ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
- 0xC0,0x12 - ECDHE-RSA-
- 0xC0,0x16 - AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
- 0xC0,0x17 - AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
- 0xC0,0x18 - AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
- 0xC0,0x19 - AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
- 0xC0,0x1A - SRP-3DES-
- 0xC0,0x1B - SRP-RSA-
- 0xC0,0x1C - SRP-DSS-
- 0xC0,0x1D - SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1
- 0xC0,0x1E - SRP-RSA-
- 0xC0,0x1F - SRP-DSS-
- 0xC0,0x20 - SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1
- 0xC0,0x21 - SRP-RSA-
- 0xC0,0x22 - SRP-DSS-
[1]http://
The results (PASS) are in and available here: http:// reports. vapour. ws/charm- tests/charm- bundle- test-966- results