Re: [Openvas-discuss] OpenVAS Check for SSL Weak Ciphers

Thu, 22 Dec 2016 06:22:11 -0800 


Am 22.12.2016 um 13:38 schrieb Eero Volotinen:

Well, TLSv1.2 is nowdays supported very well:

https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers

It even works on IE.


again: in your small world

in the real world there are even clients which are not operated by humans


some are written in java, probably run a oldr java version and then you 
have even to take care that your DHE params are not too big since those 
clients don't support ECDHE


some are runnng on really old hardware


it' pure stupidity to call out a server with SSLHonorCipherOrder and 
compatibility ciphers at the end of SSLCipherSuite since no recent 
client has a point falling back at those ciphers



the support in clients for old and unsecure things has to be removed 
instead the ongoing piss-contest against server admins which try to 
support old client software instead enforce them to use no exncraption 
at all



2016-12-22 13:36 GMT+02:00 Reindl Harald <[email protected]
<mailto:[email protected]>>:



    Am 21.12.2016 um 18:45 schrieb Eero Volotinen:

        Is there any reason to support other than TLSv1.2 protocols?


    in your small world probably not

    in the real world where you ar enot in the position to update every
    mailclient of every customer or even every operating system and it's
    browsers of website visitors it is

    there is no reason that a recent client would fall back to 3DES
    other than a major bug in that client which needs to be fixed there
    and not on the server side

        2016-12-20 18:09 GMT+02:00 Madden, Joe <[email protected]
        <mailto:[email protected]>
        <mailto:[email protected] <mailto:[email protected]>>>:

            Hi,____

            __ __

            Our openvas is showing the following ciphers as a medimum
        risk:____

            __ __

              TLS1_0_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_0_DHE_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_0_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_1_DHE_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_1_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_2_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_2_DHE_RSA_WITH_3DES_EDE_CBC_SHA____

              TLS1_2_RSA_WITH_3DES_EDE_CBC_SHA____

_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss






















					Reply via email to