From owner-freebsd-security@FreeBSD.ORG Wed May 2 22:02:39 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 67EA7106566C for ; Wed, 2 May 2012 22:02:39 +0000 (UTC) (envelope-from matt@chronos.org.uk) Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:12b::2]) by mx1.freebsd.org (Postfix) with ESMTP id AFF1B8FC15 for ; Wed, 2 May 2012 22:02:37 +0000 (UTC) Received: from workstation1.localnet (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.5/8.14.5) with ESMTP id q42L1pBU064531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 May 2012 22:01:51 +0100 (BST) (envelope-from matt@chronos.org.uk) X-DKIM: OpenDKIM Filter v2.5.2 chronos.org.uk q42L1pBU064531 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1335992511; bh=+hPXcufXjv89oCCtvrnj36EkbcwcBgs5BaWBv9uGbZo=; h=From:To:Subject:Date:References:In-Reply-To; b=hvPGw+Ioo8EHdx0Non4RQK/XRyfYhm5ZMt8ZTGozTZyNpsw6kTYXd+PN6MZo2Tb1h Phepz9uvH4/T2RWomynvlx/sUSplHCkOo3qI5s7dn0rV4CrB1nSA/YK1VBcdW/sq88 tjA8W4XBe23wrrMtssxqCuZCXrSd/0uJdDGifgrU= From: Matt Dawson To: freebsd-security@freebsd.org Date: Wed, 2 May 2012 22:01:49 +0100 User-Agent: KMail/1.13.7 (FreeBSD/9.0-RELEASE; KDE/4.7.4; amd64; ; ) References: <4FA12C1E.3030102@gmail.com> In-Reply-To: <4FA12C1E.3030102@gmail.com> X-Face: -a*{KS?gYyH>pt=1?H+(>B2Z'>b6WxX:^O@+VaMV>l\tOh@[x`#&AHSdl`m<-EEhk=1%t9iRthI|; ~8)mN@qxJ}x5l:zhDO( =?utf-8?q?=2Eas=0A?= NeO!\oL7huHfsoF'I5,0G+Yo[G-G"FG,l`QJ$IgwH/[\a]vRH^'=`; cY+*_{Or` MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201205022201.50506.matt@chronos.org.uk> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (chronos.org.uk [IPv6:2001:470:1f09:12b::1]); Wed, 02 May 2012 22:01:51 +0100 (BST) X-Spam-Status: No, score=-100.0 required=3.0 tests=BAYES_00, DATE_IN_FUTURE_24_48,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_PASS, T_RP_MATCHES_RCVD,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on central.local.chronos.org.uk Subject: Re: OpenSSL and Heimdal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 22:02:39 -0000 On Wednesday 02 May 2012 13:44:14 Volodymyr Kostyrko wrote: > And will we ever support TLS v1.[12]? BEAST attack > seems to be not so far from most of us mod_gnutls in ports. Setup is simple for Apache. Prefer the RC4 cipher which secures SSLv3 against BEAST. This setup on my own HTTPS servers passes Qualys' own tests with an A rating of 87 and tells me BEAST is mitigated, although the thing still gives me an error on session resumption which I know damned well works. It's all there for server side in ports. TLSv1.[1|2] is pretty pointless right now as only IE supports it in any meaningful way and even that is disabled OOB. Setting RC4 as the preferred cipher is about the best you can do right now. -- Matt Dawson GW0VNR MTD15-RIPE