| 1 |
slords |
1.1 |
From 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6 Mon Sep 17 00:00:00 2001 |
| 2 |
|
|
From: Matt Simerson <matt@tnpi.net> |
| 3 |
|
|
Date: Mon, 26 Jul 2010 01:26:53 -0400 |
| 4 |
|
|
Subject: increased default TLS security setting |
| 5 |
|
|
|
| 6 |
|
|
switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. Added note for how to set the minimum level of security necessary for PCI compliance. |
| 7 |
|
|
|
| 8 |
|
|
Signed-off-by: Robert <rspier@pobox.com> |
| 9 |
|
|
--- |
| 10 |
|
|
config.sample/tls_ciphers | 8 +++++++- |
| 11 |
|
|
1 files changed, 7 insertions(+), 1 deletions(-) |
| 12 |
|
|
|
| 13 |
|
|
diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers |
| 14 |
|
|
index e889731..7bb0204 100644 |
| 15 |
|
|
--- a/config.sample/tls_ciphers |
| 16 |
|
|
+++ b/config.sample/tls_ciphers |
| 17 |
|
|
@@ -1,4 +1,10 @@ |
| 18 |
|
|
# Override default security using suitable string from available ciphers at |
| 19 |
|
|
# L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS> |
| 20 |
|
|
# See plugins/tls for details. |
| 21 |
|
|
-HIGH |
| 22 |
|
|
+# |
| 23 |
|
|
+# HIGH is a reasonable default that should satisfy most installations |
| 24 |
|
|
+HIGH:!SSLv2 |
| 25 |
|
|
+# |
| 26 |
|
|
+# if you have legacy clients that require less secure connections, |
| 27 |
|
|
+# consider using this less secure, but PCI compliant setting: |
| 28 |
|
|
+#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM |
| 29 |
|
|
-- |
| 30 |
|
|
1.7.2.2 |
| 31 |
|
|
|
Parent Directory
| 
Revision Log
| 
Revision Graph
