search for: server_side_tl

...Kovacs <info at microlinux.fr> wrote: >> >> The site is rated "C" > > The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. > > https://wiki.mozilla.org/Security/Server_Side_TLS I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora. This config gets my an A+ rating on the sslabs test: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+...

...15 05:47 AM, Ralph Giles wrote: > On 19/04/15 08:15 PM, "Thomas B. R?cker" wrote: > >> If anyone happens to know about proven secure settings, just like the >> Mozilla labs settings for server side, please let us know. > You mean like https://wiki.mozilla.org/Security/Server_Side_TLS ? Yes, that's what we used for the Icecast server default cipher list, now if Mozilla has that for the *client* side, that would be interesting. I looked around but didn't see it. There seem to be subtle differences of what makes sense and what needs to be configured, when compared to a s...

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

...2 >> >> Is that enough? > > I'm afraid not. I've got SSLv2 and SSLv3 disabled and with `openssl > s_client -connect $host:993` I still can successfully renegotiate by > passing a single 'R'. Are you use good ssl_cipher_list (https://wiki.mozilla.org/Security/Server_Side_TLS)? My config ## Service options # 10-ssl ssl = yes ssl_cert = </etc/pki/tls/certs/.crt ssl_key = </etc/pki/tls/private/.key ssl_require_crl = no ssl_ca = </etc/pki/tls/cert.pem ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC...

Hi, as some of you might know Philipp has been working hard on adding TLS support to libshout, and a few other things. Originally we were planning to publish a beta or snapshot today, but we didn't manage to agree on a openssl client side cipher list yet. If anyone happens to know about proven secure settings, just like the Mozilla labs settings for server side, please let us know. We want

Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite

...28-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) > Mac=AEAD > ......... > SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off Then use cipher suite to your liking. Modern, Intermediate, Old, from... https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Test via... https://www.ssllabs.com/ssltest/

...017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr> wrote: > > The site is rated "C" The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. https://wiki.mozilla.org/Security/Server_Side_TLS

...linux.fr> wrote: >>> >>> The site is rated "C" >> >> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. >> >> https://wiki.mozilla.org/Security/Server_Side_TLS > > I'm not 100% on any differences in ciphers available, but I don't > think there should be much difference between EL7 and Fedora. > > This config gets my an A+ rating on the sslabs test: > > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite &qu...

Hi everyone, Prompted by the fact that addressing some of the recent SSL problems actually would benefit from also changing things on how openSSL is used (not just updating the library), I started looking into some improvements. The tracking ticket is: https://trac.xiph.org/ticket/2070 To sum it up: - hard disable SSLv3 - hard disable compression - new default cipher list - enable forward

...into some improvements. > > The tracking ticket is: > https://trac.xiph.org/ticket/2070 > > To sum it up: > - hard disable SSLv3 > - hard disable compression Landed ready to be released in 2.4.1. > - new default cipher list Went with https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 in the end. Previously planned using this: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/#fnref2 Testing against Qualys gives me identical results for both. We might upgrade to the "Modern" Mozilla string in the future, but as...

> but i try to this command > > openssl s_client -connect mail.mydomain:pop3s -starttls imap > > it says CONNECTED and hang. second command is correct? Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays). If you're testing IMAP, try one or the other or both depending of how many flavours

On 09/03/16 10:44, Florent B wrote: > Hi, > > I don't see any SSL configuration option in Dovecot to disable > "Client-initiated secure renegotiation". > > It is advised to disable it as it can cause DDoS (CVE-2011-1473). > > Is it possible to have this possibility through an SSL option or other ? > > Thank you. > > Florent ssl_protocols = !SSLv3