[CentOS] POODLE on CentOS

Fri Oct 17 04:56:16 UTC 2014
Kahlil Hodgson <kahlil.hodgson at dealmax.com.au>

The following nmap invocation may also be helpful with testing:

nmap --script ssl-enum-ciphers -p 443 hostname

Kahlil (Kal) Hodgson                       GPG: C9A02289
Head of Technology                         (m) +61 (0) 4 2573 0382
DealMax Pty Ltd

Suite 1416
401 Docklands Drive
Docklands VIC 3008 Australia

"All parts should go together without forcing.  You must remember that
the parts you are reassembling were disassembled by you.  Therefore,
if you can't get them together again, there must be a reason.  By all
means, do not use a hammer."  -- IBM maintenance manual, 1925


On Fri, Oct 17, 2014 at 3:32 PM, Tharun Kumar Allu
<tharun.allu at gmail.com> wrote:
> Modifying apache configuration to the following should take care of it.
> The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on.
>
> SSLProtocol all -SSLv2 -SSLv3
> SSLHonorCipherOrder on
> SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
> EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
>
>
>
> On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne <byrnejb at harte-lyne.ca>
> wrote:
>
>> According to the centos wiki:
>>
>> Validating Changes
>>
>> You can use Qualys SSL Labs to verify that your web server is no longer
>> vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You
>> might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and
>> CentOS-7, while using TLSv1 on CentOS-5.
>>
>>
>> However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and
>> attems to use SSLProtocols greater than v1 yield this error:
>>
>>
>> Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
>> SSLProtocol: Illegal protocol 'TLSv1.1'
>>
>>
>> I presume that the wiki is in error but I would like confirmation of that
>> or
>> instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5.
>>
>> --
>> ***          E-Mail is NOT a SECURE channel          ***
>> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
>> Harte & Lyne Limited          http://www.harte-lyne.ca
>> 9 Brockley Drive              vox: +1 905 561 1241
>> Hamilton, Ontario             fax: +1 905 561 0757
>> Canada  L8E 3C3
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> Tharun Kumar Allu
> ==============
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos