I confirm that this is a BUG in the current version.The SSL listeners on
the WEB ports are not save against BEAST.
This concerns not to the SMTP SSL/TLS connections if you use the right SSL
settings.
I'll correct this in the next V2 version!
Thomas
Von: "Ethical Host - John MacKenzie" <j...@ethicalhost.ca>
An: <assp-user@lists.sourceforge.net>,
Datum: 25.07.2013 20:29
Betreff: [Assp-user] how to change the SSL cipher to mitigate beast
Sorry for the delay, I wanted to update the status of this issue, as I did
set the ssl_cipher_list in ASSP, I thought it worked for setting the
cipher
on SMTP (see below appears not now), but it does not appear to affect the
https: connections on port 55555 and 55553 for the web interface? I don't
know am I missing something else?
My setting:
SSL_cipher_list:=RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES:!DES-CB
C3-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES256-SHA
(which works for all other cpanel services)
Tested with beast.pl script on port 55555 and 55553 as well as actually
port
465 also and the result is
Protocol: TLS v1
Server Preferred Cipher: AES256-SHA
Vulnerable: YES
Also tested with this as per cpanel guidelines
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
And same result, which makes me thing the service is grabbing its setting
from somewhere else because on the second one there is not even a mention
of
AES256-SHA
Thoughts?
John
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
