On Mon, 16 Dec 2013 21:35, d...@fifthhorseman.net said: > Werner, if i can help with configuring or maintaining the web server for > gnupg.org to address some of these issues, please let me know.
Yes, I have problems to figure out a woking cipher list which also allows for IE. What DHE cipher suite may I use with IE given that I have only an RSA certificate. Or should I simply give up on PFS for IE users? The active ciphers are right now: ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 Shalom-Salam, Werner p.s. Attached is I my SSLNoCompression patch for Debian's pound in case someone is interested. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
--- a/config.c 2013-12-17 13:15:09.000000000 +0100 +++ b/config.c 2013-12-17 13:20:16.000000000 +0100 @@ -76,7 +76,7 @@ static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination; static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr; static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale; -static regex_t ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11; +static regex_t ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, SSLNoCompression, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11; static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName; static regmatch_t matches[5]; @@ -1057,6 +1057,14 @@ ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE; ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; } + } else if(!regexec(&SSLNoCompression, lin, 4, matches, 0)) { + if (atoi(lin + matches[1].rm_so)) { + ssl_op_enable |= SSL_OP_NO_COMPRESSION; + ssl_op_disable &= ~SSL_OP_NO_COMPRESSION; + } else { + ssl_op_disable |= SSL_OP_NO_COMPRESSION; + ssl_op_enable &= ~SSL_OP_NO_COMPRESSION; + } } else if(!regexec(&Ciphers, lin, 4, matches, 0)) { has_other = 1; if(res->ctx == NULL) @@ -1338,6 +1346,8 @@ || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&SSLNoCompression, "^[ \t]*SSLNoCompression[ \t]+([01])[ \t]*$", + REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) @@ -1498,6 +1508,7 @@ regfree(&AddHeader); regfree(&SSLAllowClientRenegotiation); regfree(&SSLHonorCipherOrder); + regfree(&SSLNoCompression); regfree(&Ciphers); regfree(&CAlist); regfree(&VerifyList); --- a/pound.8 2013-12-17 13:19:36.000000000 +0100 +++ b/pound.8 2013-12-17 13:19:40.000000000 +0100 @@ -514,6 +514,14 @@ supported. If the value is 2, insecure renegotiation is supported, with unpatched clients. /fBThis can lead to a DoS and a Man in the Middle attack!/fR Default value is 0. .TP +\fBSSLNoCompression\fR 0|1 +If this value is 1, the server will disable DEFLATE compression even if both server +and client supports it. In case compression is enabled an attacker with access to +encrypted network traffic can conduct a "CRIME" attack by making client issue requests +with specific character sequences and observing whether they got compressed or not, +indicating their presence in part of the request that is not under his control +(e.g. cookie headers). Default value is 0. +.TP \fBCAlist\fR "CAcert_file" Set the list of "trusted" CA's for this server. The CAcert_file is a file containing a sequence of CA certificates (PEM format). The names of the defined CA certificates
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users