Am 14.08.2013 21:30, schrieb Reindl Harald: > > > Am 14.08.2013 21:19, schrieb Robert Schetterer: >>>> thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option >>>> at my setup lucid ubuntu yeter >>> >>> so you can practically forget it >> >> perhaps true forever, as long old clients are around, cause the server >> can only workaround them > > not absolutely > > playing around with the setings below and https://www.ssllabs.com/ssltest/ > turned out that the order is what counts, and that is really tricky > > i played around 5 hours with this absoluetly crap
that sounds good, so you allready did many real world tests > > adding !MEDIUM results in open from CRIME or BEAST attack because > some clients chosse a vulerable cipher, but it would raise up the > overall points of the test BUT at the same time perfect forward > secrecry for most clients while with settings below only > for Apple iOS/Safari > > without the -SHA1 also vulernable for one of the new attacks > sorry, i refused to notice what and tried ot achive best possible > encryption while not fall back to classification B what is important > for security audits > > BEAST attack is unlikely in context mail > > IMHO this is all bullshit currently *but* if recent clients start > to act smarter they can choose the best possible cipher offered > from the server and after that you have your copmpatibility net > for old clients - currently this all is a tragedy, but having > PRISM/NSA and the latest news about in mind most likely recent > clients will be able to choose a "perfect forward secrecy" > capable cipher if offered by the server independent of weaker ones > > the real problem in your case will most likely be that most > of the shiny new things in this area will require recent > openssl and TLS1.2 (sadly not supproted by Mozilla/NSS for now) i will upgrade openssl and whole setup as soon as possible, meanwhile looking for best working tmp solution > ________________________________________________________________________________________________ > > SSLProtocol All -SSLv2 -SSLv3 > SSLCompression Off > SSLInsecureRenegotiation Off > SSLHonorCipherOrder On > SSLCipherSuite > EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5 i have a testing setup with newer openssl/dove i will try your settings with a few clients there, but that will take time going on vacation soon > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein