Re: [AOLSERVER] Updating Aolserver to use TLSv1.2
An AOLserver configuration file from an old server I used to run has this section defined: ns_param ProtocolSSLv2, SSLv3, TLSv1 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP From the OpenSSL documentation: Only enable TLSv1.2: SSL_CONF_cmd(ctx, Protocol, -ALL,TLSv1.2); So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2: ns_param Protocol“-ALL,TLSv1.2 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP /s. On Jun 23, 2015, at 10:36 AM, Paula Giangeruso pgianger...@wineaccess.com wrote: Does anyone have TLS v1.2 working on AOLserver? If so how did you go about doing this? Thank You, Paula -- Paula Giangeruso - Vice President/Engineering pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com | www.wineaccess.com http://www.wineaccess.com/ O: ( 610) 642-1255 | F: (610) 642-1277 | C: (609) 731-8092 wineaccess ® direct from the source -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] Updating Aolserver to use TLSv1.2
By the way, ignore my CipherSuite line in there — you obviously don’t want SSLv2, +LOW, +MEDIUM and other components - you’ll likely just want the TLS v1.2 ciphers, which are listed here: https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites Not sure what the CipherSuite string should look like to support that, but if I have time this week I’ll see if I can figure it out. Be aware that restricting to just TLS 1.2 may cause some older browsers to not work with your site, but I haven’t done hands-on work in this area in years, so I’m not up-to-date on proper configurations. /s. On Jun 23, 2015, at 12:00 PM, Scott Goodwin sc...@scottg.net wrote: An AOLserver configuration file from an old server I used to run has this section defined: ns_param ProtocolSSLv2, SSLv3, TLSv1 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP From the OpenSSL documentation: Only enable TLSv1.2: SSL_CONF_cmd(ctx, Protocol, -ALL,TLSv1.2); So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2: ns_param Protocol“-ALL,TLSv1.2 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP /s. On Jun 23, 2015, at 10:36 AM, Paula Giangeruso pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com wrote: Does anyone have TLS v1.2 working on AOLserver? If so how did you go about doing this? Thank You, Paula -- Paula Giangeruso - Vice President/Engineering pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com | www.wineaccess.com http://www.wineaccess.com/ O: ( 610) 642-1255 | F: (610) 642-1277 | C: (609) 731-8092 wineaccess ® direct from the source -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Re: [AOLSERVER] Updating Aolserver to use TLSv1.2
I’m not up-to-date on proper configurations. Just as a reference: with the ciphers and Protocol from NaviServer's nsssl [1] one can get an A+ rating from SSL Labs [2]. One should also get decent ratings with these configuration values from AOLserver. -g [1] https://bitbucket.org/naviserver/nsssl/ [2] https://www.ssllabs.com/ssltest/analyze.html?d=next-scripting.org Am 23.06.15 um 18:11 schrieb Scott Goodwin: By the way, ignore my CipherSuite line in there — you obviously don’t want SSLv2, +LOW, +MEDIUM and other components - you’ll likely just want the TLS v1.2 ciphers, which are listed here: https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites Not sure what the CipherSuite string should look like to support that, but if I have time this week I’ll see if I can figure it out. Be aware that restricting to just TLS 1.2 may cause some older browsers to not work with your site, but I haven’t done hands-on work in this area in years, so /s. On Jun 23, 2015, at 12:00 PM, Scott Goodwin sc...@scottg.net mailto:sc...@scottg.net wrote: An AOLserver configuration file from an old server I used to run has this section defined: ns_param ProtocolSSLv2, SSLv3, TLSv1 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP From the OpenSSL documentation: Only enable TLSv1.2: SSL_CONF_cmd(ctx, Protocol, -ALL,TLSv1.2); So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2: ns_param Protocol“-ALL,TLSv1.2 ns_param CipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP /s. On Jun 23, 2015, at 10:36 AM, Paula Giangeruso pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com wrote: Does anyone have TLS v1.2 working on AOLserver? If so how did you go about doing this? Thank You, Paula -- */Paula Giangeruso/*- /*Vice President/Engineering*/ pgianger...@wineaccess.com mailto:pgianger...@wineaccess.com |www.wineaccess.com http://www.wineaccess.com/ /*O:*/(610) 642-1255 | */*F:*/*(610) 642-1277 | /*C:*/(609) 731-8092 *wine*/access/ ® direct from the source -- -- Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical virtual servers, alerts via email sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o___ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk