httpd: Use highest TLS versions server supports #33
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is exactly the same change I made back in ioerror#9. However, it needs to be made once again because ioerror#16 went back to whitelisting versions, without any explanation of why this is better. I can, however, come up with several reasons why a blacklist is preferable: 1. The config will be suitable for versions of Apache/OpenSSL that don't support TLS 1.1 and 1.2. 2. Newer versions of TLS will be automatically enabled when supported. There is, practically speaking, *no* chance those will decrease, rather than increase, security.
|
I was reminded of this problem (which I pointed out ten months ago) when I saw this misconfiguration that would've been solved via protocol blacklisting instead of whitelisting. I'd also like to note that the comments at the top of the file are woefully out of date (last changed in 2010!). However, specifying every combination of supported ciphers, particularly when it depends on the system, seems guaranteed to be out-dated (or just inaccurate!), so I left them as-is. |
|
Why not remove SSLv3 while you're at it? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is exactly the same change I made back in #9. However, it needs to be made once again because #16 went back to whitelisting versions, without any explanation of why this is better. I can, however, come up with several reasons why a blacklist is preferable: