[CentOS] POODLE on CentOS
Tharun Kumar Allu
tharun.allu at gmail.com
Fri Oct 17 04:32:42 UTC 2014
Modifying apache configuration to the following should take care of it.
The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on.
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
> According to the centos wiki:
>
> Validating Changes
>
> You can use Qualys SSL Labs to verify that your web server is no longer
> vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You
> might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and
> CentOS-7, while using TLSv1 on CentOS-5.
>
>
> However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and
> attems to use SSLProtocols greater than v1 yield this error:
>
>
> Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
> SSLProtocol: Illegal protocol 'TLSv1.1'
>
>
> I presume that the wiki is in error but I would like confirmation of that
> or
> instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5.
>
> --
> *** E-Mail is NOT a SECURE channel ***
> James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Tharun Kumar Allu
==============
More information about the CentOS
mailing list