[evolvis-commits] r18390: tarent-config pending merges:↵ Thorsten Glaser 2012-05-08 TLSv1 only, not SSLv3 and especially not SSLv2 (taken from MirBSD httpd)↵ Thorsten Glaser 2012-05-08 CVE-2011-3389: force an RC4 only ciphersuite for a short-term workaround

mirabilos at evolvis.org mirabilos at evolvis.org
Fri May 11 17:14:58 CEST 2012


Author: mirabilos
Date: 2012-05-11 17:14:58 +0200 (Fri, 11 May 2012)
New Revision: 18390

Modified:
   trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
   trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d-fhs/ssl-really-on.inc
   trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d/ssl-really-on.inc
Log:
tarent-config pending merges:
  Thorsten Glaser 2012-05-08 TLSv1 only, not SSLv3 and especially not SSLv2 (taken from MirBSD httpd)
    Thorsten Glaser 2012-05-08 CVE-2011-3389: force an RC4 only ciphersuite for a short-term workaround

Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-05-07 19:09:37 UTC (rev 18389)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-05-11 15:14:58 UTC (rev 18390)
@@ -3,8 +3,9 @@
   * Evolvis Theme: add support for nerville’s method of making
     tooltips in the submenu, which is kinda pointless, but for
     the sake of compatibility, oh my…
+  * HTTPS: use TLSv1 only and work around CVE-2011-3389 using RC4 only
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Mon, 07 May 2012 09:56:48 +0200
+ -- Thorsten Glaser <t.glaser at tarent.de>  Tue, 08 May 2012 10:04:19 +0200
 
 fusionforge (1:5.1.1+evolvis57) unstable; urgency=low
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d/ssl-really-on.inc
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d/ssl-really-on.inc	2012-05-07 19:09:37 UTC (rev 18389)
+++ trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d/ssl-really-on.inc	2012-05-11 15:14:58 UTC (rev 18390)
@@ -1,10 +1,15 @@
 <IfModule mod_ssl.c>
   SSLEngine on
   
+  # workaround for BEAST (CVE-2011-3389), short-term
+  SSLCipherSuite RC4-SHA
+
   SSLCertificateFile {core/config_path}/ssl-cert.pem
   SSLCertificateKeyFile {core/config_path}/ssl-cert.key
   SSLCertificateChainFile {core/config_path}/ssl-cert.ca
   # Add extra SSL configuration (e.g. SSLCACertificatePath) here
+
+  SSLProtocol TLSv1
   
   <Files ~ "\.(cgi|shtml)$">
     SSLOptions +StdEnvVars

Modified: trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d-fhs/ssl-really-on.inc
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d-fhs/ssl-really-on.inc	2012-05-07 19:09:37 UTC (rev 18389)
+++ trunk/gforge_base/evolvisforge-5.1/src/etc/httpd.conf.d-fhs/ssl-really-on.inc	2012-05-11 15:14:58 UTC (rev 18390)
@@ -1,10 +1,15 @@
 <IfModule mod_ssl.c>
   SSLEngine on
   
+  # workaround for BEAST (CVE-2011-3389), short-term
+  SSLCipherSuite RC4-SHA
+
   SSLCertificateFile /etc/gforge/ssl-cert.pem
   SSLCertificateKeyFile /etc/gforge/ssl-cert.key
   SSLCertificateChainFile {core/config_path}/ssl-cert.ca
   # Add extra SSL configuration (e.g. SSLCACertificatePath) here
+
+  SSLProtocol TLSv1
   
   <Files ~ "\.(cgi|shtml)$">
     SSLOptions +StdEnvVars



More information about the evolvis-commits mailing list