-SSLv2:-SSLv3:+TLSv1:+TLSv11:+TLSv12:+TLSv13:-aNULL:-eNULL:-MD5:-RC2:-RC4:-E XPORT40:-EXP
/usr/local/bin/openssl ciphers -v -tls1 "!aNULL:!eNULL:!MD5:!RC2:!RC4:!EXPORT40:!EXP" drupal6-cck-6.x.2.8_1 conflicts with drupal6-token-6.x.1.12_1 (installs files into the same place). Problematic file: /usr/local/www/drupal6/sites/all/modules/translations/es.po portmaster -df www/drupal6-cck www/drupal6-ckeditor www/drupal6-content_access www/drupal6-chaos www/drupal6-geshifilter www/drupal6-google_analytics www/drupal6-image www/drupal6-imce www/drupal6-menu_block www/drupal6-mimedetect www/drupal6-nice_menus www/drupal6-nodewords www/drupal6-page_title www/drupal6-panels www/drupal6-path_redirect www/drupal6-pathauto www/drupal6-print www/drupal6-seo_checklist www/drupal6-services www/drupal6-tagadelic www/drupal6-views www/drupal6-webform www/drupal6-wysiwyg www/drupal6-zeropoint Ahoj omlouvam se, nebot mnou uvedene souvisi s FreeBSD pouze okrajove a tyka se hlavne OpenVPN vs OpenSSL. 1) Pri upravach systemu jsem narazil na problem, kdy mi to po rekompilaci stale vracelo spatnou sadu z OpenSSL. Pricina byla jednoducha. System ma v sobe integrouvano OpenSSL 0.9.8, v portech je 1.0.1 ... mel jsem cist UPDATES. Bylo potreba nastavit v /etc/make.conf promennou WITH_OPENSSL_PORT=YES a prvni cast se vyresila po rekompilaci "sama". 2) Hlavnim duvodem pro vyse uvedenou aktivitu bylo nastaveni OpenVPN. V minulosti jsem pouzival AES-256-CBC+SHA1, k tomu certifikat z CA. Vzhledem k nedavnemu frmolu okolo OpenSSL jsem si zkousel starsi veci, mimo vypnuti komprese (na kterou je zda se mozne aplikovat modifikaci utoku CRIME) jsem se chtel jeste vyvarovat CBC modu (zde si nejsem jisty, zda je to doopravdy napadnutelne utokem BEAST, ale dle vseho sice obtizne, ale stale ano). Navic SHA1 uz je ponekud pozadu. Co se tyka sirky klice, pri pouziti AES-256 je to na 1KB bloku o ctvrtinu pomalejsi nez AES-128. Po rekompilaci jsem zkousel nastaveni openvpn --show-tls openvpn --show-ciphers openvpn --show-digests a nalezl jsem vhodnou skupinu algoritmu TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-GCM-SHA256 Predpokladana konfigurace: daemon ping-timer-rem persist-tun persist-key local server port 1194 dev tun proto tcp-server server 192.168.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 10.0.0.1" push "dhcp-option WINS 10.0.0.1" push "dhcp-option DOMAIN vpn.domena" push "dhcp-option NBDD 10.0.0.1" push "dhcp-option NTP 10.0.0.1" push "dhcp-option NBS 8" client-config-dir ccd client-to-client max-clients 16 ca /etc/ssl/certs/CA/cacert.crt cert /etc/ssl/certs/server/openvpn.crt key /etc/ssl/certs/server/openvpn.key dh /etc/ssl/certs/dh4096.pem tls-auth static.key comp-lzo no keepalive 10 300 #cipher AES-128-GCM auth SHA256 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 verb 2 status /var/log/openvpn/status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log mute 64 Otazky: 1) Proc mi, prestoze je uvedene dostupne v OepnSSL 1.0.1 hlasi openvpn? Zda se, ze cipher nepodporuje galois mode, ale tls-cipher ano. library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08 Cipher algorithm 'AES-128-GCM' not found (OpenSSL) 2) Snazim se v tom vyznat, proto bych se rad nekoho zeptal. Dela OpenVPN dvojite sifrovani? - jedna vrstva pomoci klauzule cipher - transport pomoci tls-cipher 3) Otazka, ktera se uvedeneho tyka - zkousel nekdo implementaci uvedeneho a ma prehled o podpore klientu? Kde je moznost nahrat OpenSSL klienta by problem byt nemel ... snad. Ale android ma pry problem s CAMELIA atd. Diky Honza -- FreeBSD mailing list ([email protected]) http://www.freebsd.cz/listserv/listinfo/users-l
