On Saturday 09 January 2016 13:43:34 Joi L. Ellis wrote: > I was just skimming through this week's list messages, and I'm seeing > queries regarding things recently broken, and all of them seem to > include ssh, ssl, or other encryptions. > > > In mid-December, the Debian/Ubuntu distros pushed out a new openssl > library package that seems to have simply deleted the deprecated sha1 > ciphers. I've just discovered that this breaks MYSQL master/slave > encrypted replications, Apache LDAPs authentication to Active > Directory, and others. Most of these systems simply failed silently > and it wasn't obvious why. > > > So, the fellow using encrypted tar to backup his FreeNas might want to > investigate openssl library versions and the packages that use them; > the guy having issues with amrestore over ssh may want to look into > the chiphers as well. > > > It seems mysql hard-codes the sha1 cipher by default, but you can > override it in the my.cnf files. Our ldap connection wasn't so > flexible, and the CentOS5, while still officially supported, didn't > seem amenable to selecting a specific cipher, so I ended up moving > LDAP back to clear (ACK PFFT) until I have time to replace that > server. > > > I spent two days working on ldap and mysql replication issues > discovered just this week, and it took a while to figure out the > source of the issues here, so you might want to investigate the ssl > layers in your applications. I didn't dig into the issues deep enough > to be able to say exactly what happened, I just needed to get my > systems fixed! > > Debian had more updates to those libraries today, and you may as well wash iceweasel down the drain, theres very little it can do now that it did well a week ago. I presume when the site see the click counts drop like a rock, most will get fixed and of course, will do dark from loss of income. > > Joi Owen > System Administrator > Pavlov Media, Inc.
Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
