From: Michael Peters <mrpeters@library.in.gov>
Date: Thu, 27 Oct 2011 13:42:37 +0000 (-0400)
Subject: A tweak to eg.conf to prevent against the BEAST exploit in TLS/SSL
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=d2e88db7f4ac78a89ea604c480f653e1431d7639;p=evergreen%2Fequinox.git

A tweak to eg.conf to prevent against the BEAST exploit in TLS/SSL

Based on recommedation from https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

Signed-off-by: Michael Peters <mrpeters@library.in.gov>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---

diff --git a/Open-ILS/examples/apache/eg.conf b/Open-ILS/examples/apache/eg.conf
index 77b5f408c1..e2b0584895 100644
--- a/Open-ILS/examples/apache/eg.conf
+++ b/Open-ILS/examples/apache/eg.conf
@@ -109,7 +109,8 @@ NameVirtualHost *:443
 	ServerName localhost:443
 	ServerAlias 127.0.0.1:443
 	SSLEngine on
-	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+	SSLHonorCipherOrder On
+	SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
 
     # If you don't have an SSL cert, you can create self-signed 
     # certificate and key with: