Categories
Vulnerability

Memorandum #16.

同一記事の日本語版

   Steffen released a new version of Apache 2.4.18 which was built with OpenSSL 1.0.2f on February 11, so I updated my web server Apache to it on the day before yesterday. Its ChangeLog says it was built with nghttp2 1.5.0, however, Steffen already gave nghttp2 1.6.0(MSVC release) though nghttp2’s releases are like a waterfall. You should use it at least instead of nghttp2 1.5.0. The ChangeLog of nghttp2 1.6.0. You can download mod_http2 1.1.0 & nghttp2 1.6.0 from here. If you install Apache2.4.x at the first time, see “To create a Wamp-like Web Server in Windows7-#1”. Now I use a VC14 version of Apache which requires VC14.

   At this opportunity, I edited my ssl.conf again (^_^;). This time I referred Mozilla SSL Configuration Generator. Actually I want to use the modern profile for Apache, but “ECDHE-RSA-AES256-SHA” is causing trouble for it, which is for Android equal to or less than 4.3 and isn’t one of TLS v1.2 cipher suites. Anyway I did what I can do at this point. I mean I did “SSLSessionTickets off”, “SSLStaplingResponderTimeout 5″, “SSLStaplingReturnResponderErrors off” and SSLStaplingCache size to “128000”. The other parts of the suggestion my ssl.conf already had. Here are test results by SSL Labs, before and after.

   By the way, have you heard of glibc vulnerability, CVE-2015-7547, yet? I think this is not related to my server, but is my old router OK? I’ve been to the vendor site, but they have no announce still now.

Leave a Reply

Your email address will not be published. Required fields are marked *