On Nov 11, 2008, at 8:50 AM, John Almberg wrote:
My server got an audit for PCI compliance and was red-flagged for
allowing SSL2 connections, which they have some problem with. They
want the server to use SSL3 or TLS:
"Synopsis : The remote service encrypts traffic using a protocol
with known weaknesses. Description : The remote service accepts
connections encrypted using SSL 2.0, which reportedly suffers from
several cryptographic flaws and has been deprecated for several
years. An attacker may be able to exploit these issues to conduct
man-in-the-middle attacks or decrypt communications between the
affected service and clients. See also : http://www.schneier.com/
paper-ssl.pdf Solution: Consult the application's documentation to
disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://
support.microsoft.com/kb/216482 for instructions on IIS. See http://
httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk
Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/
B:N) "
They want me to do this for https, imaps, and pop3s protocols...
Before I dig into this, I was wondering, is this even possible?
Will anything break as a result?
Answering my own question (always the best way! :-)
I've figured out how to do this on Apache... Replaced the default
SSLCipherSuite directive with the following:
SSLCipherSuite TLSv1:!ADH:!EXP:!NULL:!MD5:!LOW:+HIGH:+MEDIUM
This seems to work, although I guess all those Netscape 4 users are
going to have to shop else where...
On to IMAPS and POP3S...
-- John
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
