RE: SSL vulnerability question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Igor.

1 - Will eventually upgrade to latest, but wanted solution for 2.2.10 to fix in few days.
2- I don't see SSLProtocol property in config file for 2.2.10

3 - Thanks for the additional link. Will check it out.

Regards
Denise Edwards


-----Original Message-----
From: Igor Galić [mailto:i.galic@xxxxxxxxxxxxxx] 
Sent: Monday, October 18, 2010 1:25 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  SSL vulnerability question


----- "Denise Edwards" <Denise.Edwards@xxxxxxxxx> wrote:

> Hi,
> 
> 
> 
> Received security can results which had two issues:
> 
> 1-SSL Server Supports Weak Encryption Vulnerability
> 
> 2-SSL Server Has SSLv2 Enabled Vulnerability
> 
> 
> 
> Two questions:
> 
> - Has anyone had to address these issues for their installation of
> Apache httpd

Yes.

> - If so what did you do?

Not what you did.

> 
> Background info:
> 
> - I'm using Apache httpd v2.2.10

Why not run the latest ;)

> - SSLCipherSuite property includes high, medium, low and SSLv2


And that's your problem.


SSLProtocol TLSv1 SSLv3
SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5

This config should be reasonably fast (at least with 2.3 ;)
and ``PCI DSSS compliant''

See Paul Querna's Overclocking mod_ssl article for more info:
http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/

 
> Regards
> 
> Denise


i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux