OoO En cette fin de nuit blanche du dimanche 06 novembre 2011, vers 06:01, Amol <[email protected]> disait :
> I would also be interested in knowing about the fix for this I still haven't found a way to patch this. I have asked on OpenSSL mailing list with no luck. I still need to investigate more. > and also while we are on this topic, what would be a good/optimum > configuration for SSL protocol support, SSL key exchange and SSL > chipper strength is there some setting we can add to the stunnel or > haproxy configuration? Since OpenSSL now disables SSLv2 by default (otherwise, you should pass NO_SSLv2 as an option), you are only concerned by the cipher list. I would suggest: AES128-SHA:AES256-SHA:RC4-SHA. This is supported by all browsers and perform well enough. If you are not concerned by security, you can just use RC4-SHA. On the other end, if you are required to use a DH cipher, you could start with: ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:EDH-DSS-DES-CBC3-SHA (again, support in all browsers). You can mix both (in this case, you should drop EDH-DSS-DES-CBC3-SHA) but you should be aware that someone wanting to run a DoS will force the use of DHE cipher and it is possible for an attacker to downgrade to the less secure cipher with SSL 3.0 (downgrade attack). -- Vincent Bernat ☯ http://vincent.bernat.im Make it right before you make it faster. - The Elements of Programming Style (Kernighan & Plauger)
