FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-19-2010, 09:34 PM
Laurent Bigonville
 
Default really drop SSLv2

Le Mon, 19 Jul 2010 14:12:15 -0700,
Kees Cook <kees@ubuntu.com> a écrit :

> Thoughts?

Shouldn't this be coordinated with Debian?

Cheers

Laurent Bigonville

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 07-20-2010, 06:37 AM
Stephan Hermann
 
Default really drop SSLv2

On Mon, 2010-07-19 at 14:12 -0700, Kees Cook wrote:
> In 2008 there was discussion[1] about disabling SSLv2 in OpenSSL. The
> conclusion seemed favorable for it, and so it was attempted[2] in openssl
> 0.9.8g-10.1ubuntu2 for Intrepid.
>
> Unfortunately, this change seems to have had no affect on the build, and
> SSLv2 has remained available. I would like to propose fixing this for real
> now, and documenting the change in the SSL man pages.
>
> I'd like to point out that even as far back as Dapper, GnuTLS has not
> supported SSLv2; IMO, it is high time to make it go away for OpenSSL too.
>
> The attached debdiff would disallow the use of SSLv2 in any mode without
> wrecking the openssl library ABI.
>

Yes please, make it go away.

People who are configuring mod_ssl with openssl the wrong way, always
have problems when a security audit comes along.

SSLv2 is deprecated and should never be used in any scenario.

Regards,

sh


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-04-2010, 01:44 PM
Jim Tarvid
 
Default really drop SSLv2

Why not kill the weak ciphers too?

On Mon, Jul 19, 2010 at 6:09 PM, Eric Peters <eric@linuxsystems.net> wrote:

Like Scott*said*make it die! But I*guarantee*it's going to break something, what that something is the question.
Cheers,Eric


On Mon, Jul 19, 2010 at 3:06 PM, Kees Cook <kees@ubuntu.com> wrote:

Hi Laurent,



On Mon, Jul 19, 2010 at 11:34:47PM +0200, Laurent Bigonville wrote:

> Le Mon, 19 Jul 2010 14:12:15 -0700,

> Kees Cook <kees@ubuntu.com> a écrit :

>

> > Thoughts?

>

> Shouldn't this be coordinated with Debian?



Yes, if there isn't strong objection in Ubuntu, my next step would be to

propose it to Debian as well.



-Kees



--

Kees Cook

Ubuntu Security Team



--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam




--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam


--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net

http://drupal.ls.net



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-04-2010, 10:05 PM
Kees Cook
 
Default really drop SSLv2

Hi Jim,

On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
> Why not kill the weak ciphers too?

Sure! Can you send a patch for this?

Thanks!

-Kees

>
> On Mon, Jul 19, 2010 at 6:09 PM, Eric Peters <eric@linuxsystems.net> wrote:
>
> > Like Scott said make it die! But I guarantee it's going to break something,
> > what that something is the question.
> >
> > Cheers,
> > Eric
> >
> >
> > On Mon, Jul 19, 2010 at 3:06 PM, Kees Cook <kees@ubuntu.com> wrote:
> >
> >> Hi Laurent,
> >>
> >> On Mon, Jul 19, 2010 at 11:34:47PM +0200, Laurent Bigonville wrote:
> >> > Le Mon, 19 Jul 2010 14:12:15 -0700,
> >> > Kees Cook <kees@ubuntu.com> a écrit :
> >> >
> >> > > Thoughts?
> >> >
> >> > Shouldn't this be coordinated with Debian?
> >>
> >> Yes, if there isn't strong objection in Ubuntu, my next step would be to
> >> propose it to Debian as well.
> >>
> >> -Kees
> >>
> >> --
> >> Kees Cook
> >> Ubuntu Security Team
> >>
> >> --
> >> ubuntu-server mailing list
> >> ubuntu-server@lists.ubuntu.com
> >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> >> More info: https://wiki.ubuntu.com/ServerTeam
> >>
> >
> >
> > --
> > ubuntu-server mailing list
> > ubuntu-server@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> > More info: https://wiki.ubuntu.com/ServerTeam
> >
>
>
>
> --
> Rev. Jim Tarvid, PCA
> Galax, Virginia
> http://ls.net
> http://drupal.ls.net
--
Kees Cook
Ubuntu Security Team

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-05-2010, 09:47 AM
Daniel J Blueman
 
Default really drop SSLv2

On 4 August 2010 23:05, Kees Cook <kees@ubuntu.com> wrote:
> Hi Jim,
>
> On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
>> Why not kill the weak ciphers too?
>
> Sure! Can you send a patch for this?

If this is done, please reenable the 'none' cypher, so we can get
decent performance on slow/small systems where security isn't
important (eg on a trusted LAN). I believe Debian disabled this
previously, so I was using arcfour128, which is a 'weak' cipher.

I agree to removing weak ciphers and SSLv2 to ensure people don't get
a false sense of security, or use broken protocols.

Thanks,
Daniel

> Thanks!
>
> -Kees
>
>>
>> On Mon, Jul 19, 2010 at 6:09 PM, Eric Peters <eric@linuxsystems.net> wrote:
>>
>> > Like Scott said make it die! But I guarantee it's going to break something,
>> > what that something is the question.
>> >
>> > Cheers,
>> > Eric
>> >
>> >
>> > On Mon, Jul 19, 2010 at 3:06 PM, Kees Cook <kees@ubuntu.com> wrote:
>> >
>> >> Hi Laurent,
>> >>
>> >> On Mon, Jul 19, 2010 at 11:34:47PM +0200, Laurent Bigonville wrote:
>> >> > Le Mon, 19 Jul 2010 14:12:15 -0700,
>> >> > Kees Cook <kees@ubuntu.com> a écrit :
>> >> >
>> >> > > Thoughts?
>> >> >
>> >> > Shouldn't this be coordinated with Debian?
>> >>
>> >> Yes, if there isn't strong objection in Ubuntu, my next step would be to
>> >> propose it to Debian as well.
>> >>
>> >> -Kees
--
Daniel J Blueman

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-05-2010, 11:17 AM
Jim Tarvid
 
Default really drop SSLv2

On Wed, Aug 4, 2010 at 6:05 PM, Kees Cook <kees@ubuntu.com> wrote:

Hi Jim,



On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:

> Why not kill the weak ciphers too?



Sure! Can you send a patch for this?



Thanks!



-Kees


root@helen:/etc/apache2/mods-available# diff /etc/apache2/mods-available/ssl.conf /root/etc-20091021/apache2/mods-available/ssl.conf

55c55
< SSLCipherSuite HIGH:!ADH
---
> #SSLCipherSuite HIGH:MEDIUM:!ADH
58c58
< SSLProtocol all -SSLv2
---
> #SSLProtocol all -SSLv2

Many thought and caveats.
Old browsers may not be able to negotiate SSLCipherSuite HIGH. I don't know and I don't care
Only the most ancient browsers will not be able to negotiate TLSv1 or SSLv3. see #1Daniel J Blueman may want NULL (eNULL) instead of NONEI have consulted but not read much less studied http://www.modssl.org/docs/2.8/
I have consulted but not read much less studied http://www.openssl.org/docs/Patching either belongs upstream but configuration is fair game. The default configuration should be safe and it is not
Ubuntu should allow version choices for core server components. Patching while retaining version numbers leads to confusion.
works with Firefox 3.6.8 and Lucidroot@helen:/etc/apache2/mods-available# openssl s_client -connect secure.grayson-inn.com:443

CONNECTED(00000003)
depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=secure.grayson-inn.com/emailAddress=hostmaster@ls.net

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=secure.grayson-inn.com/emailAddress=hostmaster@ls.net

verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=secure.grayson-inn.com/emailAddress=hostmaster@ls.net

verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
*0 s:/description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=secure.grayson-inn.com/emailAddress=hostmaster@ls.net

** i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGzjCCBbagAwIBAgIDAaaMMA0GCSqGSIb3DQEBBQUAMIGMMQ swCQYDVQQGEwJJ

TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2 VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3Rhcn RDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMT AwNTI0MDkwOTI4
WhcNMTEwNTI1MTEwMzE4WjCBvTEgMB4GA1UEDRMXMjAwOTg5LU 41WjBjRDlkZkZw

WDVZTzExCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVQZXJzb25hIE 5vdCBWYWxpZGF0
ZWQxKTAnBgNVBAsTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdG UgTWVtYmVyMR8w
HQYDVQQDExZzZWN1cmUuZ3JheXNvbi1pbm4uY29tMSAwHgYJKo ZIhvcNAQkBFhFo
b3N0bWFzdGVyQGxzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADgg EPADCCAQoCggEB

AMyNnddl3Q0KefvNdlE3JHXyX5jZj8tfAF96a0JyllAMMW5nii 2FTUfSH6VNd15g
X/1Mov/4zC2rtWXzE5ET9qCQSUJ/AlNuJc5QwxPNC0dDgCf41ZcFhIst+EmrKKEO
DR2ICOrblZbvOeGfhInCFf6NFhkgadGzdhalHKO/ur9B6X3EKEzBrmQYNLkmmv16
03iqWXhY1BsE+fTUHaGKvw/DqwMKp4sUVINuHQSMLguN/bZxAbAkxeBIhgp6jYp8

3NPFzfM7JzGoOP4WVIgCRwDRtj8T/meb4kYQqGTxNvWGvqiwzAc8hISs29n7KYBC
ztYVlSIKfDZNrwBX3sZSjdMCAwEAAaOCAwQwggMAMAkGA1UdEw QCMAAwCwYDVR0P
BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBB S8g5EqZvUDouZh
NQ8W/d6q4aKCFjAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAyBgNV

HREEKzApghZzZWN1cmUuZ3JheXNvbi1pbm4uY29tgg9ncmF5c2 9uLWlubi5jb20w
ggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQIBMIIBID AuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZj A0BggrBgEFBQcC
ARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYX RlLnBkZjCBtwYI

KwYBBQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTG ltaXRlZCBMaWFi
aWxpdHksIHNlZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucy ogb2YgdGhlIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeS BhdmFpbGFibGUg
YXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZj BhBgNVHR8EWjBY

MCqgKKAmhiRodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnQxLW NybC5jcmwwKqAo
oCaGJGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLm NybDCBjgYIKwYB
BQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3 RhcnRzc2wuY29t
L3N1Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodH RwOi8vd3d3LnN0

YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS 5jcnQwIwYDVR0S
BBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSI b3DQEBBQUAA4IB
AQAE4ayjCGcy7cs0MryrjSOPG4olUW+Qxer/7vx6AJlOwQjV1JD4kTxKnqdZWSta
swRIml0N8/bQ7rr/B8gstkFT7JXlL3OcGV9wkPNQYgMqGrV5ZhnHXywVJmc+oTah

vv36LT2IVgfGU6E89tlhpip4N/B7LZu3QGGFTWRMyKtWBWayjIF62KWpopferXq9
oGlGdTWI8OeFXDOBOdHzUg4OHNeFHE6krti+8as1PXAASt47Mx 2zXd+oaUdKYoTA
nqfTPEfPffObdF77HOwB0P7zi0brzIGUrA3Ozm+8MnJIq0h95C ElUK9aqpUNOumC
z1L+zjzuF29wW/iJebwmR2gz

-----END CERTIFICATE-----
subject=/description=200989-N5Z0cD9dfFpX5YO1/C=US/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=secure.grayson-inn.com/emailAddress=hostmaster@ls.net

issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2438 bytes and written 316 bytes

---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
*** Protocol* : TLSv1
*** Cipher*** : DHE-RSA-AES256-SHA
*** Session-ID: AE224AAAECB6770D59BCA7460BC189311ABAE88C368D41F45E C5F2300705254C

*** Session-ID-ctx:
*** Master-Key: A2F7B4865595E4FE9927D35190C84209AC2C729B159306BA32 A67CA8839F0FEBA9FB140943C405C52E5E635B48DE5271
*** Key-Arg** : None
*** Start Time: 1281005830
*** Timeout** : 300 (sec)

*** Verify return code: 21 (unable to verify the first certificate)
---

--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net




--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-08-2010, 08:38 PM
Daniel J Blueman
 
Default really drop SSLv2

On 5 August 2010 12:17, Jim Tarvid <tarvid@ls.net> wrote:
> On Wed, Aug 4, 2010 at 6:05 PM, Kees Cook <kees@ubuntu.com> wrote:
>>
>> Hi Jim,
>>
>> On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
>> > Why not kill the weak ciphers too?
>>
>> Sure! Can you send a patch for this?

> Many thought and caveats.
>
> Old browsers may not be able to negotiate SSLCipherSuite HIGH. I don't know
> and I don't care
> Only the most ancient browsers will not be able to negotiate TLSv1 or SSLv3.
> see #1

> Daniel J Blueman may want NULL (eNULL) instead of NONE

Good info, but no cigar:

$ ssh -o ciphers=NULL x1
command-line line 0: Bad SSH2 cipher spec 'NULL'.

I guess I should select it a different way? 'none' is a valid cipher
when enabled in the configure script.

Thanks,
Daniel
--
Daniel J Blueman

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-09-2010, 01:34 AM
Jim Tarvid
 
Default really drop SSLv2

The point is passing Credit Card compliance tests. OOB, Ubuntu doesn't do so well. Spent the last two weeks getting through the process. I'll write it up in some detail but the key points were:
ciphers
protocolsip*separationNameVirtualHostsno default directory pathsmodsecurityTRACE - took rewrite rules to *get rid of itserver isolation (smtp, pop, imap, dns, ntp)
utility isolation (phpmyadmin, phpinfo, cacti, webmin)secure ftpNow I would like a script to monitor sites and home pages on a daily basis to I can catch PHP issues.
On Thu, Aug 5, 2010 at 10:02 AM, Etienne Goyer <etienne.goyer@canonical.com> wrote:

> On 10-08-04 06:05 PM, Kees Cook wrote:
>> Hi Jim,
>>
>> On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
>>> Why not kill the weak ciphers too?
>>
>> Sure! Can you send a patch for this?

>
> I do not really see the point. *Since the client and the server will
> negotiate the strongest cipher they both support, what exactly would we
> gain by removing cipher considered weak?
>

>
> --
> Etienne Goyer
> Technical Account Manager - Canonical Ltd
> Ubuntu Certified Instructor * - * *LPIC-3
>
> *~= Ubuntu: Linux for Human Beings =~
>
> --
> ubuntu-devel mailing list

> ubuntu-devel@lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

>



--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net




--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-09-2010, 03:54 AM
Paul Graydon
 
Default really drop SSLv2

That's strange.* I've always been able to disable successfully Trace
and Track through adding the following line to the config file:



TraceEnable off



I'd think I'd be inclined to argue for that being set by default,
but it depends on whether PCI-DSS compliance is valued over RFC
compliance as disabling it makes the Apache httpd setup non-RFC
compliant (HTTP1.1 specification, section 9.8:
http://www.ietf.org/rfc/rfc2616.txt)



Paul



On 8/8/2010 3:34 PM, Jim Tarvid wrote:
The point is passing Credit Card compliance tests.
OOB, Ubuntu doesn't do so well. Spent the last two weeks getting
through the process. I'll write it up in some detail but the key
points were:


ciphers
protocols
ip*separation
NameVirtualHosts
no default directory paths
modsecurity
TRACE - took rewrite rules to *get rid of it
server isolation (smtp, pop, imap, dns, ntp)
utility isolation (phpmyadmin, phpinfo, cacti, webmin)
secure ftp

Now I would like a script to monitor sites and home pages on
a daily basis to I can catch PHP issues.


On Thu, Aug 5, 2010 at 10:02 AM, Etienne Goyer <etienne.goyer@canonical.com>
wrote:

> On 10-08-04 06:05 PM, Kees Cook wrote:

>> Hi Jim,

>>

>> On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid
wrote:

>>> Why not kill the weak ciphers too?

>>

>> Sure! Can you send a patch for this?

>

> I do not really see the point. *Since the client and the
server will

> negotiate the strongest cipher they both support, what
exactly would we

> gain by removing cipher considered weak?

>

>

> --

> Etienne Goyer

> Technical Account Manager - Canonical Ltd

> Ubuntu Certified Instructor * - * *LPIC-3

>

> *~= Ubuntu: Linux for Human Beings =~

>

> --

> ubuntu-devel mailing list

> ubuntu-devel@lists.ubuntu.com

> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

>







--

Rev. Jim Tarvid, PCA

Galax, Virginia

http://ls.net

http://drupal.ls.net












--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-11-2010, 12:26 AM
Joe McDonagh
 
Default really drop SSLv2

On 08/08/2010 09:34 PM, Jim Tarvid wrote:
> The point is passing Credit Card compliance tests. OOB, Ubuntu doesn't do so
> well. Spent the last two weeks getting through the process. I'll write it up
> in some detail but the key points were:
>
> - ciphers
> - protocols
> - ip separation
> - NameVirtualHosts
> - no default directory paths
> - modsecurity
> - TRACE - took rewrite rules to get rid of it
> - server isolation (smtp, pop, imap, dns, ntp)
> - utility isolation (phpmyadmin, phpinfo, cacti, webmin)
> - secure ftp
>

Jim, I advise you to check out puppet. I can't even begin to explain the
amount of time I have saved by encapsulating all of this in puppet modules.

>

>>
>> I do not really see the point. Since the client and the server will
>> negotiate the strongest cipher they both support, what exactly would we
>> gain by removing cipher considered weak?
>>
>>
>> --
>> Etienne Goyer
>> Technical Account Manager - Canonical Ltd
>> Ubuntu Certified Instructor - LPIC-3
>>

Etienne: Right, but it's actually for the security of your users. If the
server says no to all weak ciphers, a weak client can't connect. It's
effectively saving your users from shooting themselves in the foot by
getting MitM'd or something. And, as Jim has said, you need it to pass PCI.
--
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
L'ennui est contre-révolutionnaire


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 03:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org