Mailinglist Archive: opensuse-buildservice (327 mails)
| < Previous | Next > |
Re: [opensuse-buildservice] OBS is using new login auth proxy
- From: "Jan-Simon Möller" <dl9pf@xxxxxx>
- Date: Tue, 19 Apr 2011 17:05:50 +0200
- Message-id: <201104191705.50558.dl9pf@gmx.de>
Am Dienstag, 19. April 2011, 16:35:58 schrieb Ludwig Nussel:
--snip--
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# We disable weak ciphers by default.
# See the mod_ssl documentation or "openssl ciphers -v" for a
# complete list.
--snip--
Ok, in conjunction with the just posted patch to osc:
--- a/osc/oscssl.py
+++ b/osc/oscssl.py
@@ -153,7 +153,7 @@ class ValidationErrors:
class mySSLContext(SSL.Context):
def __init__(self):
- SSL.Context.__init__(self, 'sslv23')
+ SSL.Context.__init__(self, 'tlsv1')
self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2) # m2crypto does
this for us but better safe than sorry
self.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
self.verrs = None
and the above "-SSLv2 -SSLv3" , we lock out old clients!
Thats no good. Thus we might have to allow v3 at least for a grace period ?
Best,
Jan-Simon
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
Jan-Simon Möller wrote:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone
forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:
+eNULL
Something like this should work:
https://build.opensuse.org/package/view_file?file=apache2-vhost-ssl.templat
e&package=apache2&project=Apache
--snip--
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# We disable weak ciphers by default.
# See the mod_ssl documentation or "openssl ciphers -v" for a
# complete list.
--snip--
That's more or less cosmetic though. More important (and usually
even more broken) are the clients. Clients need to avoid offering
weak methods and ciphers to avoid MITM.
cu
Ludwig
Ok, in conjunction with the just posted patch to osc:
--- a/osc/oscssl.py
+++ b/osc/oscssl.py
@@ -153,7 +153,7 @@ class ValidationErrors:
class mySSLContext(SSL.Context):
def __init__(self):
- SSL.Context.__init__(self, 'sslv23')
+ SSL.Context.__init__(self, 'tlsv1')
self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2) # m2crypto does
this for us but better safe than sorry
self.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
self.verrs = None
and the above "-SSLv2 -SSLv3" , we lock out old clients!
Thats no good. Thus we might have to allow v3 at least for a grace period ?
Best,
Jan-Simon
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
| < Previous | Next > |