[Ach] pls pull, various changes
christian mock
cm at coretec.at
Mon Nov 11 13:25:17 CET 2013
On Mon, Nov 11, 2013 at 12:32:13PM +0100, Adi Kriegisch wrote:
> > regarding the cipher suites for apache (and others) -- AFAICT you need
> > apache 2.4 to support ECDHE (debian stable has 2.2), and maybe you
> > don't trust EC. Without ECDHE, *all* versions of IE are excluded,
> > which should at least be mentioned in the document, and will probably
> > be a no-go in a commercial setting.
> nginx provides ECC in Debian/stable for example.
Shall we go mention this in the paper? Or does that lead down an
endless pit of operating systems/distributions and their
peculiarities?
> Regarding the cipher string you suggested:
>
> tls_high_cipherlist=DHE+AESGCM:ECDHE-ECDSA-AES256-SHA384:\
> ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:\
> ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:\
> DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:!ADH:!AECDH:\
> !MD5:!DSS
I copy&pasted that one from the apache section, just to have a
starting point. But your points are definitely valid.
> I hope we can have a short discussion about how we will recommend cipher
> strings in our paper. As of now, we at least have two different cipher
> strings -- one with ECC and one without. Then there might be a
> recommendation based on 256 vs. 128bit and probably one on using DSA (or
> how to use DSA)...
Definitely. We probably should split defining the cipher list and
using it in the config snippets to make the doc structure more usable.
cm.
--
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
http://heise.de/-1260559
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
More information about the Ach
mailing list