[Assp-user] Antwort: how to change the SSL cipher to mitigate beast

Tue, 11 Jun 2013 09:50:31 -0700 

Here are some more information:

BEAST Attack

http://blogs.cisco.com/security/beat-the-beast-with-tls/
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
http://blog.zoller.lu/2011/09/beast-summary-tls-cbc-countermeasures.html

The BEAST attack relies on a weakness in the way CBC mode is used in 
SSL/TLS. 
In OpenSSL versions 0.9.6d and later, the protocol-level mitigation is 
enabled by default, 
thus making it not vulnerable to the BEAST attack.

Solutions:

Compile Net::SSLeay with OpenSSL versions 0.9.6d or later, which enables 
SSL_OP_ALL by default

Ensure SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not enabled (its not enabled 
by default)

Dont support SSLv2, SSLv3

Actively control the ciphers your server supports with set_cipher_list:  - 
 for example  'RC4-SHA:HIGH:!ADH'
 

Thomas




Von:    "Ethical Host - John MacKenzie" <j...@ethicalhost.ca>
An:     <assp-user@lists.sourceforge.net>, 
Datum:  11.06.2013 17:55
Betreff:        [Assp-user] how to change the SSL cipher to mitigate beast



Well I posted this some time ago with no response so will try the mail 
list

 

http://minimalcms.sourceforge.net/demo/proxy/apps/phpbb/assp/viewtopic.php?f

=7
<
http://minimalcms.sourceforge.net/demo/proxy/apps/phpbb/assp/viewtopic.php?

f=7&t=1994&sid=cde5a1fbacd7f67c926a2741e964106a>
&t=1994&sid=cde5a1fbacd7f67c926a2741e964106a

 

Q: how do I go about adjusting the SSL cipher that assp uses for the web
interface (re here
http://forums.cpanel.net/f185/ssl-beast-workaround-whm-cpanel-306051.html)
on ports 55553 and 55555 to mitigate the BEAST vulnerability
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389?

 

Thanks

John

 

 

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to