On Wed, 26 Nov 2014, Michael Rasmussen wrote:
http://ssllabs.com
Excellent tool. Thank you.
If nothing else comes out of this the report from ssllabs provided
lots of food for thought.
A couple months ago, I ran its test against both madboa.com and
servers at work. It was a very helpful tool, not only for web services
but also for thinking about how some of those vulnerabilities might be
present in other SSL-protected services like SMTP/AUTH and IMAP.
I ended up changing cipher and/or protocol lists for Apache:
SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP
SSLHonorCipherOrder on
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
and Dovecot:
ssl_cipher_list = HIGH:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP
and Sendmail:
LOCAL_CONFIG
O CipherList=HIGH:!IDEA:!aNULL:!eNULL:!MD5:!ADH:!EXP
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
Google for "nmap --script ssl-enum-ciphers" for another helpful tool
to sniff out SSL-related weaknesses.
--
Paul Heinlein
[email protected]
45°38' N, 122°6' W
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
