Re: [CentOS] POODLE on CentOS
Am 16.10.2014 um 23:11 schrieb Johnny Hughes joh...@centos.org: Please note that the CentOS-6.5 updates are built from: openssl-1.0.1e-30.el6_5.2.src.rpm This is the version that Red Hat released for RHEL 6.6 as openssl-1.0.1e-30.el6_6.2.src.rpm. Notice that the dist tag is different for our release. The reason is that we are currently working on CentOS-6.6 and it will not be released for several more days. Rather than wait on the POODLE issue, the CentOS team decided to build a version of this update for 6.5: Thank you! -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] POODLE on CentOS
The following updates address POODLE on CentOS: CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-October/020696.html CentOS-6.5: http://lists.centos.org/pipermail/centos-announce/2014-October/020697.html CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-October/020695.html Please note that the CentOS-6.5 updates are built from: openssl-1.0.1e-30.el6_5.2.src.rpm This is the version that Red Hat released for RHEL 6.6 as openssl-1.0.1e-30.el6_6.2.src.rpm. Notice that the dist tag is different for our release. The reason is that we are currently working on CentOS-6.6 and it will not be released for several more days. Rather than wait on the POODLE issue, the CentOS team decided to build a version of this update for 6.5: (the current release, built from openssl-1.0.1e-30.el6_5.2.src.rpm) as well a version based on openssl-1.0.1e-30.el6_6.2.src.rpm as a zeroday update for CentOS-6.6 when it is released. You must also take action to disable SSLv3 as well as installing these update to mitigate POODLE on CentOS-5, CentOS-6 and/or CentOS-7, please see this link for details: http://wiki.centos.org/Security/POODLE Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] POODLE on CentOS
According to the centos wiki: Validating Changes You can use Qualys SSL Labs to verify that your web server is no longer vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and CentOS-7, while using TLSv1 on CentOS-5. However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and attems to use SSLProtocols greater than v1 yield this error: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: SSLProtocol: Illegal protocol 'TLSv1.1' I presume that the wiki is in error but I would like confirmation of that or instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] POODLE on CentOS
Modifying apache configuration to the following should take care of it. The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne byrn...@harte-lyne.ca wrote: According to the centos wiki: Validating Changes You can use Qualys SSL Labs to verify that your web server is no longer vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and CentOS-7, while using TLSv1 on CentOS-5. However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and attems to use SSLProtocols greater than v1 yield this error: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: SSLProtocol: Illegal protocol 'TLSv1.1' I presume that the wiki is in error but I would like confirmation of that or instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Tharun Kumar Allu == ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] POODLE on CentOS
The following nmap invocation may also be helpful with testing: nmap --script ssl-enum-ciphers -p 443 hostname Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd Suite 1416 401 Docklands Drive Docklands VIC 3008 Australia All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer. -- IBM maintenance manual, 1925 On Fri, Oct 17, 2014 at 3:32 PM, Tharun Kumar Allu tharun.a...@gmail.com wrote: Modifying apache configuration to the following should take care of it. The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on. SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne byrn...@harte-lyne.ca wrote: According to the centos wiki: Validating Changes You can use Qualys SSL Labs to verify that your web server is no longer vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and CentOS-7, while using TLSv1 on CentOS-5. However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and attems to use SSLProtocols greater than v1 yield this error: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: SSLProtocol: Illegal protocol 'TLSv1.1' I presume that the wiki is in error but I would like confirmation of that or instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Tharun Kumar Allu == ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
