From e6e9a43bbcccbee1b8e7ca2d090baba059d1f38c Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sun, 26 Jan 2014 10:47:42 +0100
Subject: Make default ciphers more secure

Remove MEDIUM (RC4+SEED). Remove !MD5 because HIGH does not include MD5.
Remove example including RC4
---
 debian/changelog                          |  5 +++++
 debian/config-dir/mods-available/ssl.conf | 15 +--------------
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 47f89c7f..81912754 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
 apache2 (2.4.7-2) UNRELEASED; urgency=medium
 
+  * Make default cipher list in ssl.conf more secure:
+    - Remove 'MEDIUM'. This disables RC4 and SEED. Also remove '!MD5' because
+      'HIGH' does not include MD5.
+    - Remove the 'Speed-optimized SSL Cipher' configuration example because
+      it depends on RC4, which is considered insecure.
   * Patch the build system to avoid problems with patched config.m4's 
     as in LP #1251939 in the future.
 
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
index 244d2a5e..2df23389 100644
--- a/debian/config-dir/mods-available/ssl.conf
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -56,20 +56,7 @@
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
-	#   Speed-optimized SSL Cipher configuration:
-	#   If speed is your main concern (on busy HTTPS servers e.g.),
-	#   you might want to force clients to specific, performance
-	#   optimized ciphers. In this case, prepend those ciphers
-	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-	#   (as in the example below), most connections will no longer
-	#   have perfect forward secrecy - if the server's key is
-	#   compromised, captures of past or future traffic must be
-	#   considered compromised, too.
-	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-	#SSLHonorCipherOrder on
+	SSLCipherSuite HIGH:!aNULL
 
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
-- 
cgit v1.2.3