Hello, the thread http://open.nlnetlabs.nl/pipermail/nsd-users/2014-April/001906.html discussed Heardblead. I think it's worth to disable not only SSLv2 but SSLv3 too. -> attachted a simple patch for nsd-4.1.0... Unbound have a similar design. SSLv3 should be also disabled there with a patch as trivial as this one. @Wouter: could you keep this in mind for the next releases? Maybe it's worth to extend the control interface of NSD _and_ UNBOUND to - enforce only the highest available protocol version - enforce only one secure cipher suite - be configurable for weaker settings Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: no_sslv3.patch Type: text/x-diff Size: 1321 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20150105/ba31a9bb/attachment.bin>
W.C.A. Wijngaards
2015-Jan-05 11:43 UTC
[nsd-users] Patch: disable SSLv3 for controlconnections
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Andreas, On 05/01/15 11:07, A. Schulze wrote:> > Hello, > > the thread > http://open.nlnetlabs.nl/pipermail/nsd-users/2014-April/001906.html > >discussed Heardblead. I think it's worth to disable not only SSLv2 but> SSLv3 too. > > -> attachted a simple patch for nsd-4.1.0...Thank you. Similar code was already in nsd's code repository.> Unbound have a similar design. SSLv3 should be also disabled there > with a patch as trivial as this one. @Wouter: could you keep this > in mind for the next releases? > > Maybe it's worth to extend the control interface of NSD _and_ > UNBOUND to - enforce only the highest available protocol version - > enforce only one secure cipher suite - be configurable for weaker > settingsNo sure why configuration would be helpful, but I see value in constraining the settings to stronger security. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUqnjHAAoJEJ9vHC1+BF+N1BEP/1e4HhAtwUjHONVK4EmqOqYX vwwr/R8LxLXSLEaAB/XITKdNxt1FNmiQWeeFk92cR4kT7T47nhdIfYC07gNVNLJC DGim76P2sQrpjDbduYXZIxjbE394wpdev7V6ajhUweT5wCNVYp+Afp7KpZFmNPnw rwjqDvnAqJ2U8Ae5VXFV+2cAuHwSMEtD9JG3TY+YlYq28PQi9Sc62bCTuRsTXbZB Gq0e4bw+X9MfzzEqOIukaW+yBzvbvGXuXr8jwH0/7LuCBhTWfCbJJ4iBow7WM/Td +f82L+qAlKQH98yRjldUXSRxjmBl9bMoNd3E+/QxHJXja84cHiQRHmtOhq3rBdVQ ovppSrrdBxyEIXLR9qizNP5qUWeJpfZHF+jBOxfpWLsf17SWOwW42+qi8g7YNvpf 1lvbn56UYFwGYIyCogaDKnfmBel2dm+cA4dlr0NzQGEB+CHDitXIMEszmbbiAyIb tdvYQjzu9VFru/aVZV0bWIuPZgC9zMItL03hzwBfvjQ9Z8nBs46qSX8Sg64VAsGQ bGqkz1M4c/VOkKGJHVZsM/r1IDdULBnJ5l+xIjklz47wC2hvV9K3UVW446V1qEGw ItJmoN8FzgvVzqP5OD9eZOi0D+ar4kEO+9YyllZ1M6Hln6rYch/omHo2y18li6I9 ivb35bIH5UYPEDtPowmG =QIMv -----END PGP SIGNATURE-----