NethServer distro is installed with the support of weak ciphers

Continuing the discussion from The NethServer server is a winner even if not perfect:

I second this. Recently we had some problems with Amazon S3 servers which are not going to manage correctly the handshake phase with squid. The result is a complete failure, a website needed was not available and showed as a blank page (see here, hoping this evening to have more detailed information to update the bug report).

I came acrosse the same problem with other distros and I agree that disabling SSLv2 and SSLv3 is important and should be done by default since the POODLE vulnerability is a serious threat.
Disabling isn’t that hard. See https://www.centos.org/forums/viewtopic.php?f=17&t=49029

I think we already did it.
Only squid has been left out.
Could you please confirm’ Thanks.

1 Like

Confirm… uh… I only installed a base install in a VM untill now. Need to get used to NS a bit more. If it’s fixed I think you should know… :wink:

1 Like

Also on 6.6?

I hope to confirm this doing some tests this evening.

Maybe 6.6 no longer exists. :smile:
Seriously, the protocol restrictions were introduced by CentOS on 6.7, we try to follow upstream.
Going from 6.6 to 6.7 is a click on a button.
I used Qualys SSL Labs for tests.

I fully understand, but do you know the old adagio “when something works, do not touch it?” :stuck_out_tongue:
Jokes apart, we will test 6.7 but we have a “zero day” on a site using 6.6, which for the moment was worked around (disabling SSL proxying).

Will provide additional information tomorrow :slight_smile:

After instaled show in postfix

When I add

show

And in squid not find default (after instalation) directive “sslproxy_cipher” and “sslproxy_options”

2 Likes