search for: sslprotocol

...ps and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like: ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 that has protocol SSLv3? Disabling SSLv3 protocol, apache will use only TLSv1.2 cypher protocol? Thanks in advance. Alessandro.

Hello, about the CVE-2015-0204, in apache the following config seems to disable this vulnerability: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 Is something similar possible with dovecot ? If yes, what are the implications with old mail clients ? -- Best regards, Adrian Minta

...ting apache tls config up-to-date. > > https://wiki.mozilla.org/Security/Server_Side_TLS I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora. This config gets my an A+ rating on the sslabs test: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" <IfModule mod_headers.c> Header always set Strict-Transport-Security "max...

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL dovecot does not care about BEAST, since attacker cannot inject trafic. Therefore the cipher list get simplier in dovecot.conf: ssl_cipher_...

CentOS-6.5 Apache httpd-2.2.15 We have a webdav folder accessible only by https. In conformance with the advisory we removed SSLv3 from the SSLProtocol directive of the Apache server on that webdav host, so that it now looks like this: SSLProtocol +TLSv1 Now I cannot connect to the webdav service from my gnome desktop. When I open the webdav folder I get a window with the following error message instead of the folder: Could not display "d...

I read this on the RHN commentary respecting cve-2014-3566: https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/: . . . The first aspect of POODLE, the SSL 3.0 protocol vulnerability, has already been fixed through iterative protocol improvements, leading to the current TLS version, 1.2. It is simply not possible to address this in the context of the SSL 3.0

Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite

...68.1.5:444 <VirtualHost 192.168.1.5:444> ServerName myweb01.local.domain ErrorLog logs/ssl_error.log CustomLog logs/ssl_access.log combined CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" LogLevel info SSLEngine on SSLProxyEngine On SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/httpd/certs/server.crt SSLCertificateKeyFile /etc/httpd/certs/server.key ProxyRequests Off ProxyPreserveHost On ProxyPass / http://192.168.1.5:5100/ ProxyPassReve...

Hi, I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts? I have several virtual hosts defined. Let's say I want to use SSL with this one: <VirtualHost *:80> ServerAdmin info

...120 PassengerHighPerformance On PassengerMaxPoolSize 12 PassengerMaxRequests 1000 PassengerPoolIdleTime 600 Listen 8140 <VirtualHost *:8140> SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/<puppetmaster>.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ <puppetmaster>.pem SSLCertificateChainFile /v...

...icate [Thu May 30 07:06:31 2013] [error] [client 192.168.223.131] File does not exist: /usr/share/puppet/rack/puppetmasterd/public/production/certificate_request/pclient Here is some relevant apache config info: # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/pmaster.localdomain.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/pmaster.localdomain.pem SSLCertificateChainFile /var/lib/puppet/ssl...

.../classes.txt localconfig = $vardir/localconfig pluginsync = true [master] autosign = true ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY My apache vhost is configured like this: <VirtualHost 192.168.1.60:8140> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/medion.chatillon.betrancourt.net.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/medion.chatillon.betrancourt.net.pem SSLCertificateCha...

...perfect) # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/sys-ubuntu.arl.qwestip.net.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/sys-ubuntu.arl.qwestip.net.pem SSLCertificateChainFil...

....org> URL : http://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. ---> This server supports both TLS-1.2 and PFS. The httpd configuration file for the server host above includes this line: SSLProtocol -all +TLSv1.1 +TLSv1.2 +TLSv1 And this produces no errors. I am writing this message over an https link to the aforementioned server running Squirrelmail. The Calomel Firefox plugin reports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the cipher suite in use and that PFS is enabled on this link....

...9;m configuring apache with https and I've a question about sslv3 > deactivation. > > Running "openssl ciphers -v" I get a list of cypher suite of openssl like: > > ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) > Mac=AEAD > ......... > SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off Then use cipher suite to your liking. Modern, Intermediate, Old, from... https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Test via... https://www.ssllabs.com/ssltest/

...44> > ServerName myweb01.local.domain > ErrorLog logs/ssl_error.log > CustomLog logs/ssl_access.log combined > CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > LogLevel info > SSLEngine on > SSLProxyEngine On > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 > SSLCertificateFile /etc/httpd/certs/server.crt > SSLCertificateKeyFile /etc/httpd/certs/server.key > ProxyRequests Off > ProxyPreserveHost On > ProxyPass / http://19...

...> https://wiki.mozilla.org/Security/Server_Side_TLS > > I'm not 100% on any differences in ciphers available, but I don't > think there should be much difference between EL7 and Fedora. > > This config gets my an A+ rating on the sslabs test: > > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 > EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES > !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" > > <IfModule mod_headers.c> > Header always set Stric...

On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote: > Hello, > about the CVE-2015-0204, in apache the following config seems to disable > this vulnerability: > SSLProtocol All -SSLv2 -SSLv3 > SSLCipherSuite > HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 > > Is something similar possible with dovecot ? I use this with some succes: # dovecot has built-in protection against BEAST, therefore no need # to remove -SSLv2-SHA1:-TLSv10-SHA1...

Hello, I've got a client who wants to go ssl. He's running a web server, smtp/pop, and ftps and imaps is coming as well. I'm looking for a wildcard ssl certificate i believe it's called but one on the budget plan. I am also wanting to ensure that the mod_ssl with httpd on the server is only using the strongest encryption methods and protocols. Thanks. Dave.

...ing keystoreType="JKS" and algorithm="SunX509" so that in /etc/tomcat5/server.xml the Connector tag will assume those values, e.g., <Connector port="8443" maxHttpHeaderSize="8192" [....] scheme="https" secure="true" sslProtocol="TLS" keystoreType="JKS" algorithm="SunX509" /> With those settings -- either implicitly (since they're the default) or explicitly -- Tomcat fails to start an SSL listener. The catalina.out log reports: SEVERE: Exception trying to load keyst...