From 06ffbd4d15019ab82707179243670c2591209fc7 Mon Sep 17 00:00:00 2001
From: Michael Peters <mrpeters@library.in.gov>
Date: Thu, 27 Oct 2011 09:42:37 -0400
Subject: [PATCH] A tweak to eg.conf to prevent against the BEAST exploit in
 TLS/SSL

Based on recommedation from https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

Signed-off-by: Michael Peters <mrpeters@library.in.gov>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 Open-ILS/examples/apache/eg.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Open-ILS/examples/apache/eg.conf b/Open-ILS/examples/apache/eg.conf
index 3bf5696c45..c050826ef9 100644
--- a/Open-ILS/examples/apache/eg.conf
+++ b/Open-ILS/examples/apache/eg.conf
@@ -109,7 +109,8 @@ NameVirtualHost *:443
 	ServerName localhost:443
 	ServerAlias 127.0.0.1:443
 	SSLEngine on
-	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+	SSLHonorCipherOrder On
+	SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
 
     # If you don't have an SSL cert, you can create self-signed 
     # certificate and key with:
-- 
2.11.0