Am 14.08.2013 21:30, schrieb Reindl Harald:
Am 14.08.2013 21:19, schrieb Robert Schetterer:
thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option at my setup lucid ubuntu yeter
so you can practically forget it
perhaps true forever, as long old clients are around, cause the server can only workaround them
not absolutely
playing around with the setings below and https://www.ssllabs.com/ssltest/ turned out that the order is what counts, and that is really tricky
i played around 5 hours with this absoluetly crap
that sounds good, so you allready did many real world tests
adding !MEDIUM results in open from CRIME or BEAST attack because some clients chosse a vulerable cipher, but it would raise up the overall points of the test BUT at the same time perfect forward secrecry for most clients while with settings below only for Apple iOS/Safari
without the -SHA1 also vulernable for one of the new attacks sorry, i refused to notice what and tried ot achive best possible encryption while not fall back to classification B what is important for security audits
BEAST attack is unlikely in context mail
IMHO this is all bullshit currently *but* if recent clients start to act smarter they can choose the best possible cipher offered from the server and after that you have your copmpatibility net for old clients - currently this all is a tragedy, but having PRISM/NSA and the latest news about in mind most likely recent clients will be able to choose a "perfect forward secrecy" capable cipher if offered by the server independent of weaker ones
the real problem in your case will most likely be that most of the shiny new things in this area will require recent openssl and TLS1.2 (sadly not supproted by Mozilla/NSS for now)
i will upgrade openssl and whole setup as soon as possible, meanwhile looking for best working tmp solution
SSLProtocol All -SSLv2 -SSLv3 SSLCompression Off SSLInsecureRenegotiation Off SSLHonorCipherOrder On SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5
i have a testing setup with newer openssl/dove i will try your settings with a few clients there, but that will take time going on vacation soon
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein