On Wed, 02 May 2012 16:01:49 -0500, Matt Dawson <matt@chronos.org.uk> wrote: > mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher > which secures SSLv3 against BEAST. This setup on my own HTTPS servers > passes Qualys' own tests with an A rating of 87 and tells me BEAST is > mitigated, although the thing still gives me an error on session > resumption which I know damned well works. It's all there for server > side in ports. Why go out of your way and use mod_gnutls? You can simply set your SSL settings like this: <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLProtocol -ALL +SSLv3 +TLSv1 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </IfModule> And now you have a rating of 85 and no BEAST issues. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"