[Ach] Looks like SSLv3 is enabled for httpd in spec?

Pepi Zawodsky pepi.zawodsky at maclemon.at
Thu Mar 3 18:38:52 CET 2016


> On 02 Mar 2016, at 14:42, Sebastian <sebix at sebix.at> wrote:
> This enables the cipherstring-group SSLv3, not the protocol.
> On 03/02/2016 03:33 PM, Martin wrote:
>> where it is the :+SSLv3: part that to me looks like it is enabled despite the
>> SSLProtocol All -SSLv2 -SSLv3
>> Can anyone tell me, if :+SSLv3: really should be there?

Since this question has been posted to this mailing list a dozen times now, I guess we should put the corresponding explanation into the ACH guide since the cipher-string-black-magic seems to confuse many people.

I totally agree that this notation is counter-intuitive. Yet, Sebastian is totally right. This enables Cipher suites _defined_ in the SSLv3 spec (which are used in TLS 1.0 and above as well) but definitely does not turn on the SSLv3 protocol.

As a matter of fact ACH always recommended to completely turn off SSLv2 and SSLv3 from the very beginning on.

Cipher-Suite B works fine with HTTP/2, if you want to use Cipher-Suite-A you must change it, since you can end up with a valid TLS 1.2 negotiated cipher suite that is blacklisted by HTTP/2 afterwards. Gives all kinds of weird and really not helpful error messages in browsers. We’re working on updated suites, which is becoming more and more complex with the expanded landscape of TLS libs around.

Best regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20160303/efd1ccb3/attachment.sig>

More information about the Ach mailing list