From 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Mon, 26 Jul 2010 01:26:53 -0400
Subject: increased default TLS security setting

switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. Added note for how to set the minimum level of security necessary for PCI compliance.

Signed-off-by: Robert <rspier@pobox.com>
---
 config.sample/tls_ciphers |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers
index e889731..7bb0204 100644
--- a/config.sample/tls_ciphers
+++ b/config.sample/tls_ciphers
@@ -1,4 +1,10 @@
 # Override default security using suitable string from available ciphers at 
 # L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>
 # See plugins/tls for details.
-HIGH
+#
+# HIGH is a reasonable default that should satisfy most installations
+HIGH:!SSLv2
+#
+# if you have legacy clients that require less secure connections,
+# consider using this less secure, but PCI compliant setting:
+#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM
-- 
1.7.2.2