[opensuse-buildservice] Re: self signed certificates from OBS
El 06/04/11 23:06, Cristian Rodríguez escribió:
Hi:
All buildservice stuff is currently running on self signed certicates that are rejected as unknown issuer.. and the certificate does not say who sign them either.
Is this a temporary problem ? who really signs the certificates and what are the signatures of them ?
Also, the SSL server says the following is supported/used/prefered RSA Public Key: (512 bit) Public-Key: (512 bit) SSLv3 168 bits DES-CBC3-SHA SSLv3 128 bits RC4-SHA SSLv3 128 bits RC4-MD5 Prefered Server Cipher(s): SSLv3 168 bits DES-CBC3-SHA So no cookie ;) I would expect 2048 bit keys, the server prefering SSLv3 256 bits *-AES256-SHA plus providing the other HIGH security ciphers only. Cheers. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Donnerstag, 7. April 2011, 00:20:03 schrieb Cristian Rodríguez:
El 06/04/11 23:06, Cristian Rodríguez escribió:
Hi:
All buildservice stuff is currently running on self signed certicates that are rejected as unknown issuer.. and the certificate does not say who sign them either.
Is this a temporary problem ? who really signs the certificates and what are the signatures of them ?
Also, the SSL server says the following is supported/used/prefered
RSA Public Key: (512 bit) Public-Key: (512 bit)
SSLv3 168 bits DES-CBC3-SHA SSLv3 128 bits RC4-SHA SSLv3 128 bits RC4-MD5 Prefered Server Cipher(s): SSLv3 168 bits DES-CBC3-SHA
So no cookie ;)
I would expect 2048 bit keys, the server prefering SSLv3 256 bits *-AES256-SHA plus providing the other HIGH security ciphers only.
There is definitive a configuration problem, I have reported it to our server provider. (We don't have access ourself to this proxy sending this certificate). bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 07/04/11 05:03, Adrian Schröter escribió:
I would expect 2048 bit keys, the server prefering SSLv3 256 bits *-AES256-SHA plus providing the other HIGH security ciphers only.
There is definitive a configuration problem, I have reported it to our server provider. (We don't have access ourself to this proxy sending this certificate).
Seems solved now, except for the prefered cipher thing., for apache SSLProtocol -ALL +SSLv3+TLSv1 SSLCipherSuite ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM SSLHonorCipherOrder on ;) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Cristian Rodríguez wrote:
El 07/04/11 05:03, Adrian Schröter escribió:
I would expect 2048 bit keys, the server prefering SSLv3 256 bits *-AES256-SHA plus providing the other HIGH security ciphers only.
There is definitive a configuration problem, I have reported it to our server provider. (We don't have access ourself to this proxy sending this certificate).
Seems solved now, except for the prefered cipher thing.,
Unfortunately not ...
for apache
SSLProtocol -ALL +SSLv3+TLSv1
Actually no sane client should support anything less than tlsv1 anymore.
SSLCipherSuite ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 07/04/11 09:38, Cristian Rodríguez escribió:
El 07/04/11 05:03, Adrian Schröter escribió:
I would expect 2048 bit keys, the server prefering SSLv3 256 bits *-AES256-SHA plus providing the other HIGH security ciphers only.
There is definitive a configuration problem, I have reported it to our server provider. (We don't have access ourself to this proxy sending this certificate).
Seems solved now, except for the prefered cipher thing.,
for apache
SSLProtocol -ALL +SSLv3+TLSv1
And BTW.. there is no TLS v1.x support there, neither sends HTST [1] headers as expected. :-( [1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Adrian Schröter -
Cristian Rodríguez -
Ludwig Nussel