[Ach] SSL for limited user groups

Hanno Böck hanno at hboeck.de
Thu Jan 1 14:11:51 CET 2015


On Thu, 01 Jan 2015 13:26:15 +0100
"Robert M. Albrecht" <lists at romal.org> wrote:

> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
> SSLCipherSuite 
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:'

This doesn't look like a very reasonable config for your setting.

If you have a closed user group and can rely on only high security
settings you likely want to limit your config to ciphers with forward
secrecy and AES-GCM. (and if you're running libressl or some openssl
preview/beta you can add chacha20)

It's pretty much consensus that everything using CBC should be
considered dangerous and we should strive for deprecating it. That
means all Camellia ciphers and all non-gcm-aes-modes.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150101/369bbe4c/attachment.sig>


More information about the Ach mailing list