Hello Scott,
Thank you for the sh script to regen the tortixd certificates. For reference what do these certificates do/secure, is it the GUI or the connection to your servers?
Thanks
CVE-2014-0160 Heartbleed bug in OpenSSL
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: CVE-2014-0160 Heartbleed bug in OpenSSL
Just the ASL web console.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: CVE-2014-0160 Heartbleed bug in OpenSSL
Wouldn't it even be more secure to allow only TLS 1.2 in the following setup:mikeshinn wrote:Yep. The ones it doesnt work with are probably OK for most users, but because some sites might want those, we wouldnt want to force this configuration on anyone.your configuration does indeed break compatibility with some older browsers (all on Windows XP, some older Android and Java; nothing too worry about too much)
That configuration forces PFS for browsers that (1) support PFS and (2) if they support the ciphers that apache 2.2 supports that require PFS. If they dont, it will fall back to some very specific non-PFS ciphers when those two conditions are not true, but not all ciphers or protocols and because some of those ciphers are all those older browsers support, and they are BadCiphers(TM) they are disable - and those browsers dont work. This is the best you can do with apache 2.2. If you force PFS for everything, you'll lose a whole bunch of browsers that just dont support with the ciphers apache 2.2 supports.but still does not force PFS for every client.
Code: Select all
SSLProtocol -ALL +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
Is it possible to control how ASL is overwriting the mod_ssl configuration, so that you can allow users to use their own configuration? Or perhaps even offering your suggestion as a configurable parameter in ASL?
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: CVE-2014-0160 Heartbleed bug in OpenSSL
Yes, but its not a huge difference. Its moot though, because the el6 apache 2.2 builds dont support 1.2 only. It supports TLS as a group (1.0, 1.1 and 1.2). So you will be enabling 1.2, and the browsers that support it will use it. So for all intensive purposes, you're good to go, but you'll also be enabling 1.0 and 1.1 for the browsers that dont. Which is far more important, because very few browsers support TLS 1.2. Right now, the only ones that do are:Wouldn't it even be more secure to allow only TLS 1.2 in the following setup:
chrome 30+
Mozilla 27+
IE11
Opera 17
Safari 7 (on iOS 5/6/7 and MacOS 10.9 only, the Windows build does not support TLS 1.2)
You can get IE 10-8 to do it, but its disabled by default, and since its likely that if its not turned on the users probably doest know how to turn this on, or even that they should if they cant connect to your TLS enabled web server. So for those users, they might as well not have TLS 1.2 support anyway. If its not enabled by default, they'll get an error and probably not know why.
So in practical terms, even if 2.2 supported it (the el6 builds dont), unless you know your users only use the latest browsers, limiting to just 1.2 would be cutting off quite a few people.
Forcing 1.2 only is not supported in the versions of 2.2 available on el6 platforms. So you cant force it anyway. Its TLS 1.0, 1.1 and 1.2 as a group.(I noticed that httpd-2.2.15-30.el6 refused to start with +TLSv1.2, although the documentation at http://httpd.apache.org/docs/2.2/mod/mo ... slprotocol seems to suggest that it is a valid value.)
Sure, just open a feature request. Right now we just change them to meet PCI requirements, which as you noted gets you an A- and still works with all the browsers out there.Is it possible to control how ASL is overwriting the mod_ssl configuration, so that you can allow users to use their own configuration? Or perhaps even offering your suggestion as a configurable parameter in ASL?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: CVE-2014-0160 Heartbleed bug in OpenSSL
PCI requirements allow SSLv3 and RC4? Blegh...mikeshinn wrote:Sure, just open a feature request. Right now we just change them to meet PCI requirements, which as you noted gets you an A- and still works with all the browsers out there.
Feature request added via the bug tracker no. 1518.
Lemonbit Internet Dedicated Server Management
Re: CVE-2014-0160 Heartbleed bug in OpenSSL
So I'm curious is SSL3 is safe to turn off. What are the risks of leaving it on? RC4 seems more risky than that.
"Its not a mac. I run linux... I'm actually cool." - scott
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: CVE-2014-0160 Heartbleed bug in OpenSSL
Just compatibility with some older browsers.
We've added a page on this vulnerability:
https://www.atomicorp.com/wiki/index.ph ... -2014-0160
We've added a page on this vulnerability:
https://www.atomicorp.com/wiki/index.ph ... -2014-0160
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone