From owner-freebsd-ports@FreeBSD.ORG Tue Jun 2 01:25:35 2015 Return-Path: Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 72C6CF43 for ; Tue, 2 Jun 2015 01:25:35 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ozzie.tundraware.com", Issuer "ozzie.tundraware.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 20B2617D1 for ; Tue, 2 Jun 2015 01:25:34 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.9/8.14.9) with ESMTP id t521PWko018253 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 1 Jun 2015 20:25:32 -0500 (CDT) (envelope-from tundra@tundraware.com) Message-ID: <556D060C.3030703@tundraware.com> Date: Mon, 01 Jun 2015 20:25:32 -0500 From: Tim Daneliuk User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: "Matthew D. Fuller" CC: FreeBSD Ports Mailing List Subject: Re: Port Fetch Failing References: <556CEBE2.7030005@tundraware.com> <556CEEB8.2090406@delphij.net> <556CF2B1.30100@tundraware.com> <20150602000954.GF1733@over-yonder.net> In-Reply-To: <20150602000954.GF1733@over-yonder.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (ozzie.tundraware.com [75.145.138.73]); Mon, 01 Jun 2015 20:25:32 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: t521PWko018253 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 01:25:35 -0000 On 06/01/2015 07:09 PM, Matthew D. Fuller wrote: > On Mon, Jun 01, 2015 at 07:02:57PM -0500 I heard the voice of > Tim Daneliuk, and lo! it spake thus: >> >> This is what happens when you are: A) In a hurry and B) Paranoid and >> C) Willing to copypasta a config without thought :( >> >> Thanks to you and Chuck, I have a more reasonable (I think): >> >> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-eNULL:-SSLv3:-SSLv2:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA256 > > That still looks awful weird. Paranoid, and enabling +LOW? If you're > having to explicitly list ciphers, you're probably on the wrong > path... > > And I suspect the "-SSLv3:-SSLv2" isn't really what you want. You > probably want to disable the _protocols_, not the _ciphers_. e.g., on > a 10.x machine, I have > > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 > SSLProtocol All -SSLv2 -SSLv3 With your settings the site scores slighly more poorly than with mine as reported by SSL Labs. I will continue to tinker to find the sweet spot of browser compatibility with best protection. (The +LOW should have been -LOW.) > > (I figure every extra character on the CipherSuite line means either > I'm way smarter, or way dumber. And there's only so much smarter I > can get, so...) > > -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/