Am 31.01.2014 17:14, schrieb James Peach: > On Jan 31, 2014, at 7:00 AM, Reindl Harald <[email protected]> wrote: >> https://www.ssllabs.com/ssltest/ >> ___________________________________________________ >> >> Secure Client-Initiated Renegotiation Supported DoS DANGER >> https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks > > This is fixed in 4.2. https://issues.apache.org/jira/browse/TS-1467
cool, thanks >> OCSP stapling No > > This needs a contributor. https://issues.apache.org/jira/browse/TS-2367 ok, not that important, i am only about verify ATS / httpd and for now there are no websites which needs ATS for load-reduction and TLS what i currently try to achive is find out capabilities of our infrastrcuture looking at the big picture to know what is possible before things are asked to implement or hardly needed for a project in the future >> The server does not support Forward Secrecy with the reference browsers > > Not sure what this one means. Do you need to use and EC key to get ECDHE? no, but not all clients support ECDHE, short ago Firefox on Fedora as example OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS BingPreview Dec 2013 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS Java 6u45 No SNI 2 Client does not support DH parameters > 1024 bits Java 6 would chose DHE if the DHE params are not bigger than 1024 Bit the warning appears if there are clients known to support PFS with DHE but not ECDHE OpenSSl 0.9.8 is in that context interesting because it's widely used in LTS distributions >> order of cipher-suite above ignored - actually bad > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1 > > Also see https://issues.apache.org/jira/browse/TS-2370, which fixes the > setting logic in 4.2. cool, i give that a try and happily look forward to 4.2 my configs are that simple and without plugins that i can upgrade without issues
signature.asc
Description: OpenPGP digital signature
