Thanks Courtney Not sure why ASSP would bother encrypting settings in the config other than passwords, but I suppose anything's possible.. Maybe it's some kind of hash.
I'm running 150025 and still have these issues. anyone else? On Tue, Feb 10, 2015 at 6:57 PM, Mr. Courtney Creighton <a...@dezignguy.com> wrote: > 1) It looks like an encrypted value. > > 2) This was discussed on the list on about Dec 22. It should be fixed in > build 15004. > > 3) I thought there was also a discussion on the best cipher list to use, > but I cannot find it now. I haven't tried much else for this yet, since > I am still using a fairly old version of openssl. > > -C > > K Post wrote on 2/10/2015 3:18 PM: > > Couple followup questions / observances: > > > > 1) If I change the SSL_version from SSLv2/3 to just SSLv3, in the config > > file, it shows: > > SSL_version:=10646b4a618018dc000507019b > > > > What's that number? Is that expected? > > > > 2) If I change the SSL version to anything including TLS, like TLSv1_2, > > assp crashes as soon as I hit apply. Using OpenSSL v1.0.1L (latest). > > SSL_cipher_list in the config file fortunately isn't updated, so I can > just > > restart it. (this is running on a windows box fyi) > > > > 3) if I specify anything in the SSL_Cipher_List field, including the > > suggested "ALL:!LOW:!EXP:!ADH" I lose web connectivity, though ASSP seems > > to keep running. I also get an alphanumeric string in the config file. > > > > Not sure what I'm missing. > > > > Thank you > > > > > > > > On Tue, Feb 10, 2015 at 2:38 PM, K Post <nntp.p...@gmail.com> wrote: > > > >> Let me start by saying I'm not a security expert by any means.... > >> > >> I see that the SSL_Version default is SSLv2/3. > >> > >> I'm a little worried about the vulnerabilities in SSL v2 and 3. (POODLE > >> and BEAST for example) > >> TLS 1.0 isn't much more secure. > >> > >> See: https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html > >> > >> I'm thinking of using: > >> TLSv1_2:TLSv1_1:!TLSv1:!SSLv2:!SSLv3 > >> (use only TLS 1.1 or 1.2, and none of the others) > >> > >> > >> Also, so we don't have to rely on the openssl config, how about this for > >> the ciphers: > >> > >> > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!RC4:!ECDHE-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS > >> > >> > >> > >> THOUGHTS?? > >> > >> > >> > > > ------------------------------------------------------------------------------ > > Dive into the World of Parallel Programming. The Go Parallel Website, > > sponsored by Intel and developed in partnership with Slashdot Media, is > your > > hub for all things parallel software development, from weekly thought > > leadership blogs to news, videos, case studies, tutorials and more. Take > a > > look and join the conversation now. http://goparallel.sourceforge.net/ > > _______________________________________________ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
