On 26/04/2023 13:06, Finn Fysj via FreeIPA-users wrote:
I see that /etc/httpd/conf.d/ssl.conf for my IPA instances includes
the following lines:
[...]
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Would it be a good security practice to remove this? E.g "We do not accept MSIE 2-5
clients
If you've got such clients on your network then you have bigger problems. :)
MSIE 5 only supports SSLv3 out of the box; it can talk TLSv1.0 but only
if the client has been configured to allow it. RHEL 8's default crypto
policies specify that TLSv1.2 is the minumum allowed version. So if you
point MSIE 5 at such a server it won't even be able to connect.
As for that configuration directive: it's part of the RHEL httpd default
configuration. I don't think it's likely to break anything. But I don't
think there's a huge advantage in diverting from the default
configuration either.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9