Displaying 14 results from an estimated 14 matches for "server_side_tl".
Did you mean:
server_side_tls
2017 Apr 26
3
Apache + SSL: default configuration rated "C" by Qualys Labs
...Kovacs <info at microlinux.fr> wrote:
>>
>> The site is rated "C"
>
> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
I'm not 100% on any differences in ciphers available, but I don't
think there should be much difference between EL7 and Fedora.
This config gets my an A+ rating on the sslabs test:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+...
2015 Apr 20
1
upcoming libshout beta/snapshot
...15 05:47 AM, Ralph Giles wrote:
> On 19/04/15 08:15 PM, "Thomas B. R?cker" wrote:
>
>> If anyone happens to know about proven secure settings, just like the
>> Mozilla labs settings for server side, please let us know.
> You mean like https://wiki.mozilla.org/Security/Server_Side_TLS ?
Yes, that's what we used for the Icecast server default cipher list, now
if Mozilla has that for the *client* side, that would be interesting. I
looked around but didn't see it.
There seem to be subtle differences of what makes sense and what needs
to be configured, when compared to a s...
2015 Jan 26
3
Apache and SSLv3
Hi list,
I'm configuring apache with https and I've a question about sslv3
deactivation.
Running "openssl ciphers -v" I get a list of cypher suite of openssl like:
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128)
Mac=AEAD
.........
Each lines report relative protocol.
Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:
2017 Jan 17
3
Correct settings for ssl protocols" and "ssl ciphers"
I have the following two settings in my "10-ssl.conf" file
# SSL protocols to use
ssl_protocols = !SSLv2
# SSL ciphers to use
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
I have seen different configurations while Googling. I am wondering
what the consensus is for the best settings for these two items. What
do the developers recommend?
Thanks!
--
Jerry
2016 Mar 10
2
Client-initiated secure renegotiation
...2
>>
>> Is that enough?
>
> I'm afraid not. I've got SSLv2 and SSLv3 disabled and with `openssl
> s_client -connect $host:993` I still can successfully renegotiate by
> passing a single 'R'.
Are you use good ssl_cipher_list
(https://wiki.mozilla.org/Security/Server_Side_TLS)?
My config
## Service options
# 10-ssl
ssl = yes
ssl_cert = </etc/pki/tls/certs/.crt
ssl_key = </etc/pki/tls/private/.key
ssl_require_crl = no
ssl_ca = </etc/pki/tls/cert.pem
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC...
2015 Apr 19
4
upcoming libshout beta/snapshot
Hi,
as some of you might know Philipp has been working hard on adding TLS
support to libshout, and a few other things.
Originally we were planning to publish a beta or snapshot today, but we
didn't manage to agree on a openssl client side cipher list yet.
If anyone happens to know about proven secure settings, just like the
Mozilla labs settings for server side, please let us know. We want
2017 Apr 26
4
Apache + SSL: default configuration rated "C" by Qualys Labs
Hi,
I'm currently experimenting with a public server running CentOS 7. I
have half a dozen production servers all running Slackware Linux, and I
intend to progressively migrate them to CentOS, for a host of reasons
(support cycle, package availability, SELinux, etc.) But before doing
that, I have to figure out a few things that work differently under
CentOS. Apache and SSL behave quite
2015 Jan 26
0
Apache and SSLv3
...28-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128)
> Mac=AEAD
> .........
>
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCompression off
Then use cipher suite to your liking.
Modern, Intermediate, Old, from...
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
Test via...
https://www.ssllabs.com/ssltest/
2017 Apr 26
0
Apache + SSL: default configuration rated "C" by Qualys Labs
...017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr> wrote:
>
> The site is rated "C"
The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
https://wiki.mozilla.org/Security/Server_Side_TLS
2017 Apr 26
0
Apache + SSL: default configuration rated "C" by Qualys Labs
...linux.fr> wrote:
>>>
>>> The site is rated "C"
>>
>> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
>>
>> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
>
> This config gets my an A+ rating on the sslabs test:
>
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite &qu...
2014 Nov 02
2
Proposed openSSL usage improvements
Hi everyone,
Prompted by the fact that addressing some of the recent SSL problems
actually would benefit from also changing things on how openSSL is used
(not just updating the library), I started looking into some improvements.
The tracking ticket is:
https://trac.xiph.org/ticket/2070
To sum it up:
- hard disable SSLv3
- hard disable compression
- new default cipher list
- enable forward
2014 Nov 09
0
Proposed openSSL usage improvements
...into some improvements.
>
> The tracking ticket is:
> https://trac.xiph.org/ticket/2070
>
> To sum it up:
> - hard disable SSLv3
> - hard disable compression
Landed ready to be released in 2.4.1.
> - new default cipher list
Went with
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
in the end.
Previously planned using this:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/#fnref2
Testing against Qualys gives me identical results for both.
We might upgrade to the "Modern" Mozilla string in the future, but as...
2018 Jan 09
2
openssl question
> but i try to this command
>
> openssl s_client -connect mail.mydomain:pop3s -starttls imap
>
> it says CONNECTED and hang. second command is correct?
Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as
IMAP/SSL (or whatever the hell the terminology is nowadays).
If you're testing IMAP, try one or the other or both depending
of how many flavours
2016 Mar 09
2
Client-initiated secure renegotiation
On 09/03/16 10:44, Florent B wrote:
> Hi,
>
> I don't see any SSL configuration option in Dovecot to disable
> "Client-initiated secure renegotiation".
>
> It is advised to disable it as it can cause DDoS (CVE-2011-1473).
>
> Is it possible to have this possibility through an SSL option or other ?
>
> Thank you.
>
> Florent
ssl_protocols = !SSLv3