-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi everyone,
after reading the posts related to protocols and cipher suites started by Pete last week [1] I wanted to check the settings of the keyservers in the hkps pool using the SSL Server Test from Qualys [2] in order to evaluate the "quality" of the applied settings. Ignoring the "untrusted certificate" warnings, these are the compact results of the test using Qualys' grade system: A- or better 23 servers B 2 servers C 1 server F 9 servers So, from the total of 35 servers (of which 3 aren't currently in the hkps pool due to missing keys) basically 2/3 show secure and robust settings. 5 servers (grades B and C as well as 2 from the F group) have lower standards on different levels by either not supporting modern protocols like TLS 1.1 & 1.2 and/or allowing weak or even insecure cipher suites. Here, an improvement would be to apply a more secure configuration [3] as e.g. already suggested in the aforementioned thread [1]. In case of the last remaining 7 servers (= every 5th server) the test showed an exploit opportunity related to CVE-2014-0224 [4], which can be eliminated by simply updating the OpenSSL package on these systems. As I'm not that much deep in the topic I'm not sure about the impact of this issue on the security of hkps connections. Perhaps anyone can give an advise here. Could this be a threat and should be also checked before including servers to the hkps pool? In general, is this kind of test useful to find possibly weak servers in the mentioned pool? Should it be done on a regular basis perhaps or is of low relevance? Greetings, Matthias - --------- [1] https://lists.nongnu.org/archive/html/sks-devel/2014-08/msg00019.html [2] https://www.ssllabs.com/ssltest/ [3] https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy [4] https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iF4EAREIAAYFAlPr58QACgkQk8eZk3b5umD9gAD+Ndc4xddShiBquTZ+7JgYTBy3 IvsXKUkFmeYUaelwQHMA/3J64JjkOhAGOBOmaitg7lMt/kVQKxk5RYOIY5Bm1R0M =78VF -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel