Date: Mon, 1 Jun 2015 18:25:14 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG> Subject: Re: Port Fetch Failing In-Reply-To: <20150602000954.GF1733@over-yonder.net> References: <556CEBE2.7030005@tundraware.com> <556CEEB8.2090406@delphij.net> <556CF2B1.30100@tundraware.com> <20150602000954.GF1733@over-yonder.net>
| previous in thread | raw e-mail | index | archive | help
>> Thanks to you and Chuck, I have a more reasonable (I think): >> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-eNULL:-SSLv3:-SSLv2:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA256 Reasonable depends on the use case. Though this topic would be better discussed on freebsd-security@, the good advice given on <https://wiki.mozilla.org/Security/Server_Side_TLS>, <https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/>; and <https://weakdh.org/sysadmin.html>; tends to recommend: SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLProtocol all -SSLv2 -SSLv3 SSLCompression off SSLHonorCipherOrder on and if you're using httpd 2.3.3 or higher: SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) If you're processing credit cards SSLProtocol will need to be expanded to "-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have good reason to be paranoid and all of your clients are up-to-date, add "-TLSv1.1". Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>