[Ach] Looks like SSLv3 is enabled for httpd in spec?
Hanno Böck
hanno at hboeck.de
Wed Mar 2 15:41:02 CET 2016
On Wed, 2 Mar 2016 15:33:29 +0100
Martin <rc6encrypted at gmail.com> wrote:
> For httpd the spec says
>
> SSLCipherSuite
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
I'm not exactly sure what the camellia crap is doing there and this
looks fishy and overly complicated to me in many ways, but anyway:
> where it is the :+SSLv3: part that to me looks like it is enabled
> despite the
Welcome to the confusion of TLS. Don't be ashamed, I asked almost the
same question somewhere some years ago, don't remember where.
+SSlv3 enables the cipher suites that are available in SSLv3. The thing
is: these are largely the same as the ones used in later protocol
versions. Thefore that doesn't mean you're supporting SSLv3, it just
means you're supporting the cipher suites that were supported in SSLv3
and are also supported in later versions.
> SSLProtocol All -SSLv2 -SSLv3
This is the right thing to do and will prevent all SSLv2/SSLv3
connections.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20160302/5c446e65/attachment.sig>
More information about the Ach
mailing list