quick and sleazy Apache worm workaround

Tom Perrine tep at SDSC.EDU
Mon Sep 16 20:47:11 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----

We scrambled to get all our Apache and OpenSSL versions lined up; 80+
web sites on 20+ machines using Solaris and Linux :-(  Redhat's
versioning was not helpful, but we'd already been down that row with
the last set of OpenSSL patches so we know what to look for :-)

Counterpane is suggesting an Apache httpd.conf change that seems to be
a suitable workaround: turn off SSLv2.  Since SSLv2 has been
deprecated since 1998, it seems like a good idea.

I've done this on several of my personal machines, as an additional
step beyond an OpensSSL upgrade (and server restart).

In httpd.conf:

***************
*** 1169,1175 ****
  #   SSL Cipher Suite:
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
! SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  
  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If
- --- 1169,1175 ----
  #   SSL Cipher Suite:
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
! SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+TLSv1:-SSLv2+EXP:+eNULL
  
  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If

- -- 
Tom E. Perrine <tep at SDSC.EDU> | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>

iQCUAwUBPYZDTBTSxpWcaAFRAQHTYQP42xtMZ3d99Rqb941dQTj/ylUpzsQfiTw2
Oqhq3z9Ifxq5mjRd0pV+WbySm9OGVsc6b/Wt+2osmIs3sjdUR8i3bNq9KUfcmjBK
0q5uAGPAc8SW2uHg5dpCNyru6/unAaxEqrv0QuKHHtlkN0BL0JoXCEuo/L6eJI/E
PQ2HE6Vdkg==
=EPpy
-----END PGP SIGNATURE-----



More information about the unisog mailing list