diff options
author | Rob Crittenden <rcritten@redhat.com> | 2016-03-01 11:33:25 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2016-03-01 11:42:27 -0500 |
commit | baa0d0257d14725790bda2b727b722f8829ade23 (patch) | |
tree | 085f432abfd77e93dcc5884e2194d59165928731 | |
parent | 105d65bfedfa0e381dcebd197ef67aab799fc8b1 (diff) | |
download | mod_nss-baa0d0257d14725790bda2b727b722f8829ade23.tar.gz mod_nss-baa0d0257d14725790bda2b727b722f8829ade23.tar.xz mod_nss-baa0d0257d14725790bda2b727b722f8829ade23.zip |
Update default cipher set to include stronger ciphers
Insecure or less secure algorithms such as RC4, DES and 3DES are
removed. Perfect forward secrecy suites with ephemeral ECDH key
exchange have been added. IE 8 on Windows XP is no longer
supported.
https://fedorahosted.org/mod_nss/ticket/5
-rw-r--r-- | nss.conf.in | 9 |
1 files changed, 1 insertions, 8 deletions
diff --git a/nss.conf.in b/nss.conf.in index 79f6511..9b9ffc8 100644 --- a/nss.conf.in +++ b/nss.conf.in @@ -100,14 +100,7 @@ NSSEngine on # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. -# SSL 3 ciphers. SSL 2 is disabled by default. -NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha - -# SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. -# -# Comment out the NSSCipherSuite line above and use the one below if you have -# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography -#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha +NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha # SSL Protocol: # Cryptographic protocols that provide communication security. |