On Wed, Aug 4, 2010 at 6:05 PM, Kees Cook <[email protected]> wrote: > Hi Jim, > > On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote: > > Why not kill the weak ciphers too? > > Sure! Can you send a patch for this? > > Thanks! > > -Kees > > r...@helen:/etc/apache2/mods-available# diff /etc/apache2/mods-available/ssl.conf /root/etc-20091021/apache2/mods-available/ssl.conf 55c55 < SSLCipherSuite HIGH:!ADH --- > #SSLCipherSuite HIGH:MEDIUM:!ADH 58c58 < SSLProtocol all -SSLv2 --- > #SSLProtocol all -SSLv2
Many thought and caveats. 1. Old browsers may not be able to negotiate SSLCipherSuite HIGH. I don't know and I don't care 2. Only the most ancient browsers will not be able to negotiate TLSv1 or SSLv3. see #1 3. Daniel J Blueman may want NULL (eNULL) instead of NONE 4. I have consulted but not read much less studied http://www.modssl.org/docs/2.8/ 5. I have consulted but not read much less studied http://www.openssl.org/docs/ 6. Patching either belongs upstream but configuration is fair game. The default configuration should be safe and it is not 7. Ubuntu should allow version choices for core server components. Patching while retaining version numbers leads to confusion. 8. works with Firefox 3.6.8 and Lucid r...@helen:/etc/apache2/mods-available# openssl s_client -connect secure.grayson-inn.com:443 CONNECTED(00000003) depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN= secure.grayson-inn.com/[email protected] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN= secure.grayson-inn.com/[email protected] verify error:num=27:certificate not trusted verify return:1 depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN= secure.grayson-inn.com/[email protected] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN= secure.grayson-inn.com/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGzjCCBbagAwIBAgIDAaaMMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTAwNTI0MDkwOTI4 WhcNMTEwNTI1MTEwMzE4WjCBvTEgMB4GA1UEDRMXMjAwOTg5LU41WjBjRDlkZkZw WDVZTzExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxpZGF0 ZWQxKTAnBgNVBAsTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMR8w HQYDVQQDExZzZWN1cmUuZ3JheXNvbi1pbm4uY29tMSAwHgYJKoZIhvcNAQkBFhFo b3N0bWFzdGVyQGxzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMyNnddl3Q0KefvNdlE3JHXyX5jZj8tfAF96a0JyllAMMW5nii2FTUfSH6VNd15g X/1Mov/4zC2rtWXzE5ET9qCQSUJ/AlNuJc5QwxPNC0dDgCf41ZcFhIst+EmrKKEO DR2ICOrblZbvOeGfhInCFf6NFhkgadGzdhalHKO/ur9B6X3EKEzBrmQYNLkmmv16 03iqWXhY1BsE+fTUHaGKvw/DqwMKp4sUVINuHQSMLguN/bZxAbAkxeBIhgp6jYp8 3NPFzfM7JzGoOP4WVIgCRwDRtj8T/meb4kYQqGTxNvWGvqiwzAc8hISs29n7KYBC ztYVlSIKfDZNrwBX3sZSjdMCAwEAAaOCAwQwggMAMAkGA1UdEwQCMAAwCwYDVR0P BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBS8g5EqZvUDouZh NQ8W/d6q4aKCFjAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAyBgNV HREEKzApghZzZWN1cmUuZ3JheXNvbi1pbm4uY29tgg9ncmF5c29uLWlubi5jb20w ggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcC ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcC ARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYI KwYBBQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFi aWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0 YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUg YXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBhBgNVHR8EWjBY MCqgKKAmhiRodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5jcmwwKqAo oCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYB BQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29t L3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0S BBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB AQAE4ayjCGcy7cs0MryrjSOPG4olUW+Qxer/7vx6AJlOwQjV1JD4kTxKnqdZWSta swRIml0N8/bQ7rr/B8gstkFT7JXlL3OcGV9wkPNQYgMqGrV5ZhnHXywVJmc+oTah vv36LT2IVgfGU6E89tlhpip4N/B7LZu3QGGFTWRMyKtWBWayjIF62KWpopferXq9 oGlGdTWI8OeFXDOBOdHzUg4OHNeFHE6krti+8as1PXAASt47Mx2zXd+oaUdKYoTA nqfTPEfPffObdF77HOwB0P7zi0brzIGUrA3Ozm+8MnJIq0h95CElUK9aqpUNOumC z1L+zjzuF29wW/iJebwmR2gz -----END CERTIFICATE----- subject=/description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN= secure.grayson-inn.com/[email protected] issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- No client certificate CA names sent --- SSL handshake has read 2438 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: AE224AAAECB6770D59BCA7460BC189311ABAE88C368D41F45EC5F2300705254C Session-ID-ctx: Master-Key: A2F7B4865595E4FE9927D35190C84209AC2C729B159306BA32A67CA8839F0FEBA9FB140943C405C52E5E635B48DE5271 Key-Arg : None Start Time: 1281005830 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- -- Rev. Jim Tarvid, PCA Galax, Virginia http://ls.net http://drupal.ls.net
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
