Apache2: Change SSL Ciphers to Mitigate BEAST attack

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Unknown Unknown
  • Resolution: Fixed
  • Component/s: apache2
  • Labels:

Description

An SSL test (from https://www.ssllabs.com/ssltest/) using the default settings in templates/default/mods/ssl.conf.erb shows that a site using this config is vulnerable to the BEAST attack. https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls gives some recommended apache configuration settings.

Either use these by default or make them a configurable attribute.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Nathan L Smith added a comment -

Opened https://github.com/opscode-cookbooks/apache2/pull/15

Show
Nathan L Smith added a comment - Opened https://github.com/opscode-cookbooks/apache2/pull/15
Hide
Permalink
jtimberman added a comment -

Resolving so we pick this up for code review.

Show
jtimberman added a comment - Resolving so we pick this up for code review.
Hide
Permalink
Bryan McLellan [Opscode] added a comment -

We should consider Lamont's comments in the pull request, but this heads in the right direction of increasing security and making the cipher suite configurable.

The one concern is that we provide a ciper suite that breaks someone. It sounds like Lamont had a good grasp on this possibility from his comments on his pull request so we should be fine, but someone else is welcome to chime in, in the interim.

Show
Bryan McLellan [Opscode] added a comment - We should consider Lamont's comments in the pull request, but this heads in the right direction of increasing security and making the cipher suite configurable. The one concern is that we provide a ciper suite that breaks someone. It sounds like Lamont had a good grasp on this possibility from his comments on his pull request so we should be fine, but someone else is welcome to chime in, in the interim.
Hide
Permalink
jtimberman added a comment -

This is merged as is.

I added information about the attribute in the README.md, it's up to people implementing this in their own environment to override the attribute to a value that complies with their security policy, especially if they have to content with PCI-DSS.

Show
jtimberman added a comment - This is merged as is. I added information about the attribute in the README.md, it's up to people implementing this in their own environment to override the attribute to a value that complies with their security policy, especially if they have to content with PCI-DSS.
Hide
Permalink
jtimberman added a comment -

Transitioning this ticket to "Fix Committed" to reflect new workflow state where a ticket's contribution is merged into the master branch, but hasn't been released in a new version yet.

Show
jtimberman added a comment - Transitioning this ticket to "Fix Committed" to reflect new workflow state where a ticket's contribution is merged into the master branch, but hasn't been released in a new version yet.
Hide
Permalink
jtimberman added a comment -

Released in v1.3.0

Show
jtimberman added a comment - Released in v1.3.0

People

  • Assignee:
    Unassigned
    Reporter:
    Nathan L Smith
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: