[CentOS] POODLE and TLSv1
Leon Fauster
leonfauster at googlemail.com
Fri Oct 17 18:00:53 UTC 2014
Am 17.10.2014 um 19:38 schrieb Thomas Eriksson <thomas.eriksson at slac.stanford.edu>:
> On 10/17/2014 09:53 AM, James B. Byrne wrote:
>>
>> I read this on the RHN commentary respecting cve-2014-3566:
>>
>>
>> https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/:
>>
> ...
>>
>> If read the advisory aright then TLSv1.0 suffers from exactly the same flaw as
>> SSLv3. So, how do I configure apache-2.2.15 to deny TLSv1.0 and keep service
>> TLSv1.1+?
>>
>>
>
> The same advisory recommends to use this config for 7 and 6.6 upwards
>
> SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>
> I guess you could try changing that to
>
> SSLProtocol -All +TLSv1.1 +TLSv1.2
>
> Don't know what you might break on the client side...
if that (TLSv1.0 also vulnerable) is true then EL5 has
no mitigation right now. TLSv{1.1,1.2} support is only
in EL6 (>=6.5).
--
LF
More information about the CentOS
mailing list