really drop SSLv2

Joe McDonagh joseph.e.mcdonagh at gmail.com
Wed Aug 11 00:26:21 UTC 2010


On 08/08/2010 09:34 PM, Jim Tarvid wrote:
> The point is passing Credit Card compliance tests. OOB, Ubuntu doesn't do so
> well. Spent the last two weeks getting through the process. I'll write it up
> in some detail but the key points were:
> 
>    - ciphers
>    - protocols
>    - ip separation
>    - NameVirtualHosts
>    - no default directory paths
>    - modsecurity
>    - TRACE - took rewrite rules to  get rid of it
>    - server isolation (smtp, pop, imap, dns, ntp)
>    - utility isolation (phpmyadmin, phpinfo, cacti, webmin)
>    - secure ftp
> 

Jim, I advise you to check out puppet. I can't even begin to explain the
amount of time I have saved by encapsulating all of this in puppet modules.

> 

>>
>> I do not really see the point.  Since the client and the server will
>> negotiate the strongest cipher they both support, what exactly would we
>> gain by removing cipher considered weak?
>>
>>
>> --
>> Etienne Goyer
>> Technical Account Manager - Canonical Ltd
>> Ubuntu Certified Instructor   -    LPIC-3
>>

Etienne: Right, but it's actually for the security of your users. If the
server says no to all weak ciphers, a weak client can't connect. It's
effectively saving your users from shooting themselves in the foot by
getting MitM'd or something. And, as Jim has said, you need it to pass PCI.
-- 
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
L'ennui est contre-révolutionnaire





More information about the ubuntu-server mailing list