On Mon, 16 Dec 2013 21:35, [email protected] said:
> Werner, if i can help with configuring or maintaining the web server for
> gnupg.org to address some of these issues, please let me know.
Yes, I have problems to figure out a woking cipher list which also
allows for IE. What DHE cipher suite may I use with IE given that I
have only an RSA certificate. Or should I simply give up on PFS for IE
users? The active ciphers are right now:
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
Shalom-Salam,
Werner
p.s.
Attached is I my SSLNoCompression patch for Debian's pound in case
someone is interested.
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
--- a/config.c 2013-12-17 13:15:09.000000000 +0100
+++ b/config.c 2013-12-17 13:20:16.000000000 +0100
@@ -76,7 +76,7 @@
static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
-static regex_t ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
+static regex_t ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, SSLNoCompression, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName;
static regmatch_t matches[5];
@@ -1057,6 +1057,14 @@
ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
}
+ } else if(!regexec(&SSLNoCompression, lin, 4, matches, 0)) {
+ if (atoi(lin + matches[1].rm_so)) {
+ ssl_op_enable |= SSL_OP_NO_COMPRESSION;
+ ssl_op_disable &= ~SSL_OP_NO_COMPRESSION;
+ } else {
+ ssl_op_disable |= SSL_OP_NO_COMPRESSION;
+ ssl_op_enable &= ~SSL_OP_NO_COMPRESSION;
+ }
} else if(!regexec(&Ciphers, lin, 4, matches, 0)) {
has_other = 1;
if(res->ctx == NULL)
@@ -1338,6 +1346,8 @@
|| regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&SSLNoCompression, "^[ \t]*SSLNoCompression[ \t]+([01])[ \t]*$",
+ REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1498,6 +1508,7 @@
regfree(&AddHeader);
regfree(&SSLAllowClientRenegotiation);
regfree(&SSLHonorCipherOrder);
+ regfree(&SSLNoCompression);
regfree(&Ciphers);
regfree(&CAlist);
regfree(&VerifyList);
--- a/pound.8 2013-12-17 13:19:36.000000000 +0100
+++ b/pound.8 2013-12-17 13:19:40.000000000 +0100
@@ -514,6 +514,14 @@
supported. If the value is 2, insecure renegotiation is supported, with unpatched
clients. /fBThis can lead to a DoS and a Man in the Middle attack!/fR Default value is 0.
.TP
+\fBSSLNoCompression\fR 0|1
+If this value is 1, the server will disable DEFLATE compression even if both server
+and client supports it. In case compression is enabled an attacker with access to
+encrypted network traffic can conduct a "CRIME" attack by making client issue requests
+with specific character sequences and observing whether they got compressed or not,
+indicating their presence in part of the request that is not under his control
+(e.g. cookie headers). Default value is 0.
+.TP
\fBCAlist\fR "CAcert_file"
Set the list of "trusted" CA's for this server. The CAcert_file is a file containing
a sequence of CA certificates (PEM format). The names of the defined CA certificates
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
