similar to: New FREAK SSL Attack CVE-2015-0204

On 04.03.2015 18:19, Emmanuel Dreyfus wrote: > On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote: >> Hello, >> about the CVE-2015-0204, in apache the following config seems to disable >> this vulnerability: >> SSLProtocol All -SSLv2 -SSLv3 >> SSLCipherSuite >> HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 >> >> Is

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10

On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote: > Hello, > about the CVE-2015-0204, in apache the following config seems to disable > this vulnerability: > SSLProtocol All -SSLv2 -SSLv3 > SSLCipherSuite > HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 > > Is something similar possible with dovecot ? I use this with some succes: # dovecot

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:

On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com> wrote: > >> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr> wrote: >> >> The site is rated "C" > > The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. > >

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

On Wed, Mar 04, 2015 at 06:36:07PM +0200, Adrian Minta wrote: > Thank you for the answer. > The "!EXPORT" part is included in "ECDH at STRENGTH:DH at STRENGTH:HIGH", or it > must be added as well ? This is not the cipher list I sent. It was: ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNUL Mine does not contain any export cipher, yours does. You can

Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite

Also you should probably use dovecot director to ensure same user sessions end up on same server, as it's not supported to access same user on different backends in this scenario. Aki > On 10/01/2020 19:49 Adrian Minta <adrian.minta at gmail.com> wrote: > > > > Hello, > > you need to "clone" the first server, change the ip address, mount the same

Thank you all for the replies.... I have the test environment with the same configuration. But I have been asked to go with same environment for HA/Resilience in Live. Yes, I have only one Live server. It is configured in "Maildir" format. The data stores on a Network / Shared Storage (But definitely not local disk, its a mount point). I have been asked to create a HA/Resilience for

List, good afternoon, I was reading up on a TLS Diffie Hellman protocol weakness described here https://weakdh.org/sysadmin.html which is similar to the earlier FREAK attack, and can result in downgrade of cipher suites. Part of the solution workaround that the researchers describe for Dovecot here https://weakdh.org/sysadmin.html includes altering DH parameters length to 2048, and

Hi On april 17th, I upgraded from dovecot 2.1.13 to 2.2.0. Since that time, I had two different users that reported received three incident of messages that disapeared from their mailboxes. The mailbox format is mbox on local FFS filesystem (no NFS), and I use filesystem quotas (but both users are far from filling their quotas). When the message disapeared, it was always a whole rand of dates.

Hi all, I am trying to setup an apache virtualhost under CentOS 6.7 that needs to redirects requests from port 444 to port 5100 in its local ip. But I am doing some mistakes because every time I'm receiving a loop error. My actual httpd's config for this virtualhost is: NameVirtualHost 192.168.1.5:444 <VirtualHost 192.168.1.5:444> ServerName myweb01.local.domain ErrorLog

If you just want active/standby, you can simply use corosync/pacemaker as other already suggest and don?t use Director. I have a dovecot HA server that uses floating IP and pacemaker to managed it, and it works quite well. The only real hard part is having a HA storage. You can simply use a NFS storage shared by both servers (as long as only one has the floating IP, you won?t have issue with the

Hi, I successfully managed to use SSL on a local webserver for testing purposes, following the section "Using SSL" in the Chapter "Using Apache" of the "Definitive Guide to CentOS". Now I wonder: how can I use SSL with virtual hosts? I have several virtual hosts defined. Let's say I want to use SSL with this one: <VirtualHost *:80> ServerAdmin info

Hi, I''m currently trying to debug a performance issue I''m having. Therefore I would need "DEBUG" output. When using one puppetmaster process, this is fairly easy by starting it like this: > puppet master --no-daemonize --debug Now I need to see this debug output when running puppetmaster the way I ususally do - using Apache/Rack/Passenger. After looking

Hi all, I have experience using puppet, however I am new to setting puppet up as it was already done for me in past environments. I am running into an issue while trying to set puppet up for the first time on RHEL 6.4. I was hoping y''all might be able to help me! I get the following error from the puppet client''s /var/log/messages log: May 30 07:06:30 pclient

Hello, I've got a client who wants to go ssl. He's running a web server, smtp/pop, and ftps and imaps is coming as well. I'm looking for a wildcard ssl certificate i believe it's called but one on the budget plan. I am also wanting to ensure that the mod_ssl with httpd on the server is only using the strongest encryption methods and protocols. Thanks. Dave.

I downloaded the puppet-dashboard.git from http://github.com/puppetlabs/puppet-dashboard and did the installation in my ubuntu lucid puppet server following the steps in "Installation". Now I can run it fine using the WEBrick like this root@sys-ubuntu { ~/git/puppet-dashboard }$ ./script/server -e production => Booting WEBrick => Rails 2.3.5 application starting on

Hi! I''ve installed puppetmaster 2.7.13 on a server with CentOS 6.2 with a rpm supplied by yum.puppetlabs.com. I''ve setup a apache2 vhost with mod_ssl and passenger. The server is configured to autosign the cert requests. The agent installed on the puppetmaster''s server works fine. I''ve a second agent on a server which can sync with the server too. This