Search found 6 matches

by kafkaah
2015/07/27 06:59:26
Forum: CentOS 7 - Software Support
Topic: Apache 2.4.6: SSLProtocol bug and Poodle
Replies: 7
Views: 4973

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Thanks much for your support. It seems Apache would not honor any SSLCiphersuite or SSLProtocol directives within any VirtualHost context. Since, lucky enough, these directives have a common definition for all our VirtualHosts, we simply put them in the general conf file httpd.conf, where they were ...
by kafkaah
2015/07/24 03:54:27
Forum: CentOS 7 - Software Support
Topic: Apache 2.4.6: SSLProtocol bug and Poodle
Replies: 7
Views: 4973

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Hi, Many, many thanks for that test installation. I would only have wished you also had that problem :D . What you did is basically what we did, step by step. Seems like all the SSL directives are ignored... Not only SSLProtocol but SSLCipherSuite also. So weird. I'm in touch with the Apache committ...
by kafkaah
2015/07/23 08:30:39
Forum: CentOS 7 - Software Support
Topic: Apache 2.4.6: SSLProtocol bug and Poodle
Replies: 7
Views: 4973

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Hi, Yes, the server was tested - as a matter of fact at the URL provided - with configuration: SSLProtocol All -SSLv2 -SSLv3 without success. The protocol is still on and the Poodle vuln. is detected. Seems like the directive is totally ignored. I agree that the bug seems not to be directly related,...
by kafkaah
2015/07/22 23:17:55
Forum: CentOS 7 - Software Support
Topic: Apache 2.4.6: SSLProtocol bug and Poodle
Replies: 7
Views: 4973

Apache 2.4.6: SSLProtocol bug and Poodle

Hi, Just been informed that there is a bug in the current Apache 2.4 version of CentOS 7: https://bz.apache.org/bugzilla/show_bug.cgi?id=57100 This bug prevents removing the SSL protocol SSLv3 (the one targeted by Poodle). Basically, the "All" keyword is ignored in: SSLProtocol All -SSLv2 -SSLv3 or ...
by kafkaah
2015/04/20 10:54:04
Forum: CentOS 6 - Security Support
Topic: TLS_FALLBACK_SCSV and OpenSSL
Replies: 2
Views: 2255

Re: TLS_FALLBACK_SCSV and OpenSSL

Many thanks... You are right...

mod_spdy is the culprit... its implementation of mod_ssl does not provide TLS_FALLBACK_SCSV... Totally forgotten about the patch...

Best regards :D
by kafkaah
2015/04/20 00:20:31
Forum: CentOS 6 - Security Support
Topic: TLS_FALLBACK_SCSV and OpenSSL
Replies: 2
Views: 2255

TLS_FALLBACK_SCSV and OpenSSL

Hi, According to the info I found, TLS_FALLBACK_SCSV is provided since openssl-1.0.1e-30, and should therefore prevent any openssl fallback exploit. For some reason, even though the correct version of OpenSSL is installed (openssl-1.0.1e-30.el6.8.x86_64), and Apache is properly configured and was re...

Go to advanced search