NethServer distro is installed with the support of weak ciphers


(Alessio Fattorini) #1

Continuing the discussion from The NethServer server is a winner even if not perfect:


The NethServer server is a winner even if not perfect
Template /etc/httpd/conf.d/ssl.conf
(Emiliano Vavassori) #2

I second this. Recently we had some problems with Amazon S3 servers which are not going to manage correctly the handshake phase with squid. The result is a complete failure, a website needed was not available and showed as a blank page (see here, hoping this evening to have more detailed information to update the bug report).


(Rob Bosch) #3

I came acrosse the same problem with other distros and I agree that disabling SSLv2 and SSLv3 is important and should be done by default since the POODLE vulnerability is a serious threat.
Disabling isn’t that hard. See https://www.centos.org/forums/viewtopic.php?f=17&t=49029


(Filippo Carletti) #4

I think we already did it.
Only squid has been left out.
Could you please confirm’ Thanks.


(Rob Bosch) #5

Confirm… uh… I only installed a base install in a VM untill now. Need to get used to NS a bit more. If it’s fixed I think you should know… :wink:


(Emiliano Vavassori) #6

Also on 6.6?

I hope to confirm this doing some tests this evening.


(Filippo Carletti) #7

Maybe 6.6 no longer exists. :smile:
Seriously, the protocol restrictions were introduced by CentOS on 6.7, we try to follow upstream.
Going from 6.6 to 6.7 is a click on a button.
I used https://www.ssllabs.com/index.html for tests.


(Emiliano Vavassori) #8

I fully understand, but do you know the old adagio “when something works, do not touch it?” :stuck_out_tongue:
Jokes apart, we will test 6.7 but we have a “zero day” on a site using 6.6, which for the moment was worked around (disabling SSL proxying).

Will provide additional information tomorrow :slight_smile:


#9

After instaled show in postfix

When I add

show

And in squid not find default (after instalation) directive “sslproxy_cipher” and “sslproxy_options”