SSL vulnarable for BEAST

ñull · 6. November 2012

I came accross this https://www.ssllabs.com/ssltest/index.html and tested a LiveConfig site with it. Apparently some SSL configuration is missing making it vulnarable for the "BEAST" attacks. To mitigate this I applied the changes in the configuration manually but I think LiveConfig should do that for us by default:

Code

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

The other vulnerability called SCREAM is fixed client side, since there are a number of Apache releases that do not support server side disabling of SSL compression yet. After backports are released the SSL compression should be off by default.

kk · 6. November 2012

Hi,

this is a very good point, thank you.
We improved SSL security for LiveConfig itself at short notice today (see issue #42) and will add the required configuration options for Apache/NGINX the next 2-3 days.

Best regards,

Klaus Keppler

ñull · 7. November 2012

Fast response!

Do you allow entering features and bug reports directly in Redmine?

SSL vulnarable for BEAST

Jetzt mitmachen!

Benutzer online in diesem Thema