cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: New SSL vulnerability #FREAK
Date Mon, 09 Mar 2015 10:51:26 GMT
Ok, so for Apache HTTPD something like this would do the job:

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder     on

I do not know how to do this for the CPVM java thingy that runs there; I think it's based
on Jetty.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Erik Weber" <terbolous@gmail.com>
> To: "dev" <dev@cloudstack.apache.org>
> Sent: Monday, 9 March, 2015 09:34:08
> Subject: Re: New SSL vulnerability #FREAK

> On Mon, Mar 9, 2015 at 9:59 AM, Nux! <nux@li.nux.ro> wrote:
> 
>> BTW, the command I used is:
>>
>> nmap --script ssl-enum-ciphers $HOST
>>
>> I'm not entirely sure which cipher is good or not.
>>
> 
> Anyone with EXPORT in it is bad (in the FREAK case).
> 
> This is a scan of my 4.3.2 systemvm with nmap:
> 
>| ssl-enum-ciphers:
>|   SSLv3:
>|     ciphers:
>|       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>|       TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>|       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
>|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
>|       TLS_RSA_WITH_DES_CBC_SHA - weak
>|       TLS_RSA_WITH_RC4_128_MD5 - strong
>|       TLS_RSA_WITH_RC4_128_SHA - strong
>|     compressors:
>|       NULL
>|   TLSv1.0:
>|     ciphers:
>|       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>|       TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>|       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
>|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
>|       TLS_RSA_WITH_DES_CBC_SHA - weak
>|       TLS_RSA_WITH_RC4_128_MD5 - strong
>|       TLS_RSA_WITH_RC4_128_SHA - strong
> 
> --
> Erik

Mime
View raw message