From owner-freebsd-security@FreeBSD.ORG Fri Oct 14 14:38:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BCD116A420 for ; Fri, 14 Oct 2005 14:38:58 +0000 (GMT) (envelope-from dacoder@dcoder.net) Received: from ns0.dcoder.net (ns0.dcoder.net [66.92.160.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE4D543D53 for ; Fri, 14 Oct 2005 14:38:56 +0000 (GMT) (envelope-from dacoder@dcoder.net) Received: from ns0.dcoder.net (ns0.dcoder.net [66.92.160.14]) by ns0.dcoder.net (Postfix) with ESMTP id 29CF92841A; Fri, 14 Oct 2005 10:38:56 -0400 (EDT) Date: Fri, 14 Oct 2005 10:38:56 -0400 (EDT) From: David Coder To: Jacques Vidrine In-Reply-To: <47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us> Message-ID: <20051014103322.J825@ns0.dcoder.net> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <434BCB75.2000402@iang.org> <20051012191019.GJ2482@cirb503493.alcatel.com.au> <47D785F8-E28E-4753-ABE9-8627107D9038@vidrine.us> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Sat, 15 Oct 2005 13:50:42 +0000 Cc: Peter Jeremy , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: David Coder List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Oct 2005 14:38:58 -0000 Hi, Jacques, The mod_ssl how-to explains how to run an SSLv2-only Apache server, but not SSLv2, but assuming that the httpd.conf syntax is the same I thought I'd substitute the two lines SSLProtocol -all +SSLv3 SSLCipherSuite SSLv3:+HIGH:+MEDIUM:+LOW:+EXP for the line SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL in that file. Any idea whether this is correct? Thx. Hope you're well! David On Thu, 13 Oct 2005, Jacques Vidrine wrote: :Date: Thu, 13 Oct 2005 13:44:28 -0700 :From: Jacques Vidrine :To: Peter Jeremy :Cc: freebsd-security@freebsd.org :Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl : : :On 2005-10-12, at 12:10 :19, Peter Jeremy wrote: : :> On Tue, 2005-Oct-11 09:45:53 -0700, Jacques Vidrine wrote: :> > On Oct 11, 2005, at 7:25 AM, Ian G wrote: :> > > Isn't the workaround obviously to switch off V2? :> > :> > Yes. Sorry that wasn't mentioned. :> :> That sounds like a good workaround. How do I implement it? I've :> looked through the documentation and can't find any reference to a :> runtime OpenSSL configuration file that would let me do this. : :I'm not aware of a global option for OpenSSL, either. Disabling SSLv2 would :need to be handled by the application, i.e. turn off SSLv2 for each of your :SSL/TLS applications. Cheers, :-- :Jacques Vidrine : : :_______________________________________________ :freebsd-security@freebsd.org mailing list :http://lists.freebsd.org/mailman/listinfo/freebsd-security :To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" :