Couple followup questions / observances: 1) If I change the SSL_version from SSLv2/3 to just SSLv3, in the config file, it shows: SSL_version:=10646b4a618018dc000507019b
What's that number? Is that expected? 2) If I change the SSL version to anything including TLS, like TLSv1_2, assp crashes as soon as I hit apply. Using OpenSSL v1.0.1L (latest). SSL_cipher_list in the config file fortunately isn't updated, so I can just restart it. (this is running on a windows box fyi) 3) if I specify anything in the SSL_Cipher_List field, including the suggested "ALL:!LOW:!EXP:!ADH" I lose web connectivity, though ASSP seems to keep running. I also get an alphanumeric string in the config file. Not sure what I'm missing. Thank you On Tue, Feb 10, 2015 at 2:38 PM, K Post <nntp.p...@gmail.com> wrote: > Let me start by saying I'm not a security expert by any means.... > > I see that the SSL_Version default is SSLv2/3. > > I'm a little worried about the vulnerabilities in SSL v2 and 3. (POODLE > and BEAST for example) > TLS 1.0 isn't much more secure. > > See: https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html > > I'm thinking of using: > TLSv1_2:TLSv1_1:!TLSv1:!SSLv2:!SSLv3 > (use only TLS 1.1 or 1.2, and none of the others) > > > Also, so we don't have to rely on the openssl config, how about this for > the ciphers: > > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!RC4:!ECDHE-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS > > > > THOUGHTS?? > > > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
