[Ach] +SSLv3 vs. !SSLv3 in SSLProtocol vs. SSLCipherSuite
L. Aaron Kaplan
kaplan at cert.at
Fri Oct 17 14:41:58 CEST 2014
Hi *,
in the spirit of complete transparency in writing our guide, I'll document this here:
after clarifying with a couple of the authors, I reverted my initial way-to-quick commits "no SSLv3 damn it".
Here is a write-up on this topic:
https://bettercrypto.org/
--> "The Poodle killed it"
<quote>
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
If you look at the settings above, you will find that the SSLProtocol disables SSLv3, however the Cipherstring on first sight seems to enable it again. This is however not the case! The abbreviation +SSLv3 in the SSLCipherSuite string simply enables certain cipher combinations. It does notenable SSLv3!
</quote>
Okay, now you all know I was too quick with a commit. Sorry. All reverted, all back to how it was before.
Nevertheless, I believe we need to quickly:
a) make sure that the cipherStringB macro works again (as discussed before. We really *do* want a single place for managing the cipherString); and
b) need to go through the document again and find some old legacy settings which slipped in or are to be considered "legacy" by now.
On a similar note: who of you will be at hack.lu 2014?
Best,
a.
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20141017/d8ff9ec1/attachment.sig>
More information about the Ach
mailing list