On Sun, Apr 29, 2012, Mike Hoy wrote: > We use McAfee to scan our website for vulnerabilities. They claim the > following: > > > Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. > > Configure SSL/TLS servers to only support cipher suites that do not use > > block ciphers. Apply patches if available. > > I ran #openssl version and it says we are using OpenSSL 0.9.8e-fips-rhel5 > 01 Jul 2008. > > Do we need to upgrade our OpenSSL to upgrade our TLS/SSL server? Sorry if > the question is way off-base but I am not a system administrator normally. > This is new to me. We use CentOS and #yum install openssl claims it is > already at the higest version. Any suggestions appreciated. >
FYI: this is most likely the BEAST attack it is referring to. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org