httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vorazzo Manuela <manuela.vora...@sia.eu>
Subject [users@httpd] R: [users@httpd] CVE-2013-2566
Date Mon, 20 Jan 2014 12:30:05 GMT
We originally configured Apache with this directive:

SSLCipherSuite RC4-SHA

Then, then when the network scan found  the vulnerability, we modify with this

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA

But now we have CBC and for the security requirements we have to delete RC4, CBC, and MD5
and probably other ciphers that I can't' remember.

Have you any suggestion in order to configure SSLCipherSuite to be compliant to CVE-2013-2566


Thanks in advance.


Manuela Vorazzo


-----Messaggio originale-----
Da: Eric Covener [mailto:covener@gmail.com]
Inviato: lunedì 20 gennaio 2014 13:10
A: users@httpd.apache.org
Oggetto: Re: [users@httpd] CVE-2013-2566

> The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
> many s= ingle-byte biases, which makes it easier for remote attackers
> to conduct pl= aintext-recovery attacks via statistical analysis of
> ciphertext in a large = number of sessions that use the same plaintext.

http://httpd.apache.org/security_report.html

You can configure Apache to not use RC4.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


*******************Internet Email Confidentiality Footer*******************
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati è vietato
e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati
se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla
distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute
nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente
e non possono essere necessariamente considerate come autorizzate da SIA S.p.A.; le medesime
dichiarazioni non impegnano SIA S.p.A. nei confronti del destinatario o di terzi. SIA S.p.A.
non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti
del presente messaggio e-mail.

Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute
an offence. If you are not the intended addressee please advise immediately the sender by
using the reply facility in your e-mail software and destroy the message and its attachments.
The statements and opinions expressed in this e-mail message are those of the author of the
message and do not necessarily represent those of SIA S.p.A. Besides, The contents of this
message shall be understood as neither given nor endorsed by SIA S.p.A.. SIA S.p.A. does not
accept liability for corruption, interception or amendment, if any, or the consequences thereof.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message