[Ach] SSL for limited user groups

Robert M. Albrecht lists at romal.org
Thu Jan 1 17:44:32 CET 2015


Hi,

exactly my point, easy to make errors for non-crypto-experts:

SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA !AES128 
-SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

is more reasonable ?

Most tools seems to work, will test Gnome 3 tomorrow.

cu romal


Am 01.01.15 um 14:11 schrieb Hanno Böck:
> On Thu, 01 Jan 2015 13:26:15 +0100
> "Robert M. Albrecht" <lists at romal.org> wrote:
>
>> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>> SSLCipherSuite
>> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:'
>
> This doesn't look like a very reasonable config for your setting.
>
> If you have a closed user group and can rely on only high security
> settings you likely want to limit your config to ciphers with forward
> secrecy and AES-GCM. (and if you're running libressl or some openssl
> preview/beta you can add chacha20)
>
> It's pretty much consensus that everything using CBC should be
> considered dangerous and we should strive for deprecating it. That
> means all Camellia ciphers and all non-gcm-aes-modes.
>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>



More information about the Ach mailing list