Re: [gentoo-user] {OT} hardening SSL without rejecting users

2010-04-27 Thread Eray Aslan
On 27.04.2010 05:19, Grant wrote:
 I've been advised to harden my SSL in the following ways:
 
 1. disable SSL 2.0

Agreed.  There is no need to support SSL 2.0 anymore.

 2. disable use of SSL ciphers which offer either weak or no encryption

For maximum compatibility, support AES, RC4 and 3DES (and up).  There is
no need to support weaker ciphers.

 3. disable anonymous SSL ciphers

Correct.  There is no need except in emergencies (actual
interoperability problems with mandatory TLS destinations).  But it
should be the default anyway.

In general, try to
* use a private key that is at least 2048 bits long
* do not offer ciphers below 128 bits
* do not support SSLv2
* do not offer anonymous Deffie Hellmann (ADH)
* generate new keys for each certificate (do not reuse keys)
* support/offer TLS 1.0 and better

-- 
Eray



[gentoo-user] {OT} hardening SSL without rejecting users

2010-04-26 Thread Grant
I've been advised to harden my SSL in the following ways:

1. disable SSL 2.0
2. disable use of SSL ciphers which offer either weak or no encryption
3. disable anonymous SSL ciphers

Will some website users not be able to use https if I do this?

- Grant