OoO En cette fin de nuit blanche du dimanche 06 novembre 2011, vers
06:01, Amol <mandm_zoom#yahoo.com> disait :
> I would also be interested in knowing about the fix for this
I still haven't found a way to patch this. I have asked on OpenSSL mailing list with no luck. I still need to investigate more.
> and also while we are on this topic, what would be a good/optimum
> configuration for SSL protocol support, SSL key exchange and SSL
> chipper strength is there some setting we can add to the stunnel or
> haproxy configuration?
Since OpenSSL now disables SSLv2 by default (otherwise, you should pass
NO_SSLv2 as an option), you are only concerned by the cipher list. I
would suggest:
AES128-SHA:AES256-SHA:RC4-SHA.
This is supported by all browsers and perform well enough. If you are
not concerned by security, you can just use RC4-SHA. On the other end,
if you are required to use a DH cipher, you could start with:
ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:EDH-DSS-DES-CBC3-SHA
(again, support in all browsers).
You can mix both (in this case, you should drop EDH-DSS-DES-CBC3-SHA) but you should be aware that someone wanting to run a DoS will force the use of DHE cipher and it is possible for an attacker to downgrade to the less secure cipher with SSL 3.0 (downgrade attack).
-- Vincent Bernat ☯ http://vincent.bernat.im Make it right before you make it faster. - The Elements of Programming Style (Kernighan & Plauger)Received on 2011/11/06 18:28
This archive was generated by hypermail 2.2.0 : 2011/11/06 18:30 CET