really drop SSLv2
Jim Tarvid
tarvid at ls.net
Thu Aug 5 11:17:31 UTC 2010
On Wed, Aug 4, 2010 at 6:05 PM, Kees Cook <kees at ubuntu.com> wrote:
> Hi Jim,
>
> On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
> > Why not kill the weak ciphers too?
>
> Sure! Can you send a patch for this?
>
> Thanks!
>
> -Kees
>
>
root at helen:/etc/apache2/mods-available# diff
/etc/apache2/mods-available/ssl.conf
/root/etc-20091021/apache2/mods-available/ssl.conf
55c55
< SSLCipherSuite HIGH:!ADH
---
> #SSLCipherSuite HIGH:MEDIUM:!ADH
58c58
< SSLProtocol all -SSLv2
---
> #SSLProtocol all -SSLv2
Many thought and caveats.
1. Old browsers may not be able to negotiate SSLCipherSuite HIGH. I don't
know and I don't care
2. Only the most ancient browsers will not be able to negotiate TLSv1 or
SSLv3. see #1
3. Daniel J Blueman may want NULL (eNULL) instead of NONE
4. I have consulted but not read much less studied
http://www.modssl.org/docs/2.8/
5. I have consulted but not read much less studied
http://www.openssl.org/docs/
6. Patching either belongs upstream but configuration is fair game. The
default configuration should be safe and it is not
7. Ubuntu should allow version choices for core server components.
Patching while retaining version numbers leads to confusion.
8. works with Firefox 3.6.8 and Lucid
root at helen:/etc/apache2/mods-available# openssl s_client -connect
secure.grayson-inn.com:443
CONNECTED(00000003)
depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not
Validated/OU=StartCom Free Certificate Member/CN=
secure.grayson-inn.com/emailAddress=hostmaster at ls.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not
Validated/OU=StartCom Free Certificate Member/CN=
secure.grayson-inn.com/emailAddress=hostmaster at ls.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not
Validated/OU=StartCom Free Certificate Member/CN=
secure.grayson-inn.com/emailAddress=hostmaster at ls.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not
Validated/OU=StartCom Free Certificate Member/CN=
secure.grayson-inn.com/emailAddress=hostmaster at ls.net
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 1 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGzjCCBbagAwIBAgIDAaaMMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTAwNTI0MDkwOTI4
WhcNMTEwNTI1MTEwMzE4WjCBvTEgMB4GA1UEDRMXMjAwOTg5LU41WjBjRDlkZkZw
WDVZTzExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxpZGF0
ZWQxKTAnBgNVBAsTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMR8w
HQYDVQQDExZzZWN1cmUuZ3JheXNvbi1pbm4uY29tMSAwHgYJKoZIhvcNAQkBFhFo
b3N0bWFzdGVyQGxzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMyNnddl3Q0KefvNdlE3JHXyX5jZj8tfAF96a0JyllAMMW5nii2FTUfSH6VNd15g
X/1Mov/4zC2rtWXzE5ET9qCQSUJ/AlNuJc5QwxPNC0dDgCf41ZcFhIst+EmrKKEO
DR2ICOrblZbvOeGfhInCFf6NFhkgadGzdhalHKO/ur9B6X3EKEzBrmQYNLkmmv16
03iqWXhY1BsE+fTUHaGKvw/DqwMKp4sUVINuHQSMLguN/bZxAbAkxeBIhgp6jYp8
3NPFzfM7JzGoOP4WVIgCRwDRtj8T/meb4kYQqGTxNvWGvqiwzAc8hISs29n7KYBC
ztYVlSIKfDZNrwBX3sZSjdMCAwEAAaOCAwQwggMAMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBS8g5EqZvUDouZh
NQ8W/d6q4aKCFjAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAyBgNV
HREEKzApghZzZWN1cmUuZ3JheXNvbi1pbm4uY29tgg9ncmF5c29uLWlubi5jb20w
ggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBIDAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcC
ARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYI
KwYBBQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFi
aWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUg
YXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBhBgNVHR8EWjBY
MCqgKKAmhiRodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnQxLWNybC5jcmwwKqAo
oCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYB
BQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29t
L3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0S
BBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQAE4ayjCGcy7cs0MryrjSOPG4olUW+Qxer/7vx6AJlOwQjV1JD4kTxKnqdZWSta
swRIml0N8/bQ7rr/B8gstkFT7JXlL3OcGV9wkPNQYgMqGrV5ZhnHXywVJmc+oTah
vv36LT2IVgfGU6E89tlhpip4N/B7LZu3QGGFTWRMyKtWBWayjIF62KWpopferXq9
oGlGdTWI8OeFXDOBOdHzUg4OHNeFHE6krti+8as1PXAASt47Mx2zXd+oaUdKYoTA
nqfTPEfPffObdF77HOwB0P7zi0brzIGUrA3Ozm+8MnJIq0h95CElUK9aqpUNOumC
z1L+zjzuF29wW/iJebwmR2gz
-----END CERTIFICATE-----
subject=/description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not
Validated/OU=StartCom Free Certificate Member/CN=
secure.grayson-inn.com/emailAddress=hostmaster at ls.net
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2438 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
AE224AAAECB6770D59BCA7460BC189311ABAE88C368D41F45EC5F2300705254C
Session-ID-ctx:
Master-Key:
A2F7B4865595E4FE9927D35190C84209AC2C729B159306BA32A67CA8839F0FEBA9FB140943C405C52E5E635B48DE5271
Key-Arg : None
Start Time: 1281005830
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20100805/a8371167/attachment.html>
More information about the ubuntu-server
mailing list