Startseite » Forum » LiveConfig Forums (english) » Bugs and troubleshooting » SSL vulnarable for BEAST
Ergebnis 1 bis 3 von 3
  1. #1
    Erfahrener Benutzer
    Registriert seit
    09.07.2012
    Ort
    Spanien
    Beiträge
    273

    SSL vulnarable for BEAST

    I came accross this https://www.ssllabs.com/ssltest/index.html and tested a LiveConfig site with it. Apparently some SSL configuration is missing making it vulnarable for the "BEAST" attacks. To mitigate this I applied the changes in the configuration manually but I think LiveConfig should do that for us by default:

    Code:
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

    The other vulnerability called SCREAM is fixed client side, since there are a number of Apache releases that do not support server side disabling of SSL compression yet. After backports are released the SSL compression should be off by default.

  2. #2
    LiveConfig-Team Avatar von kk
    Registriert seit
    10.12.2010
    Beiträge
    3.216
    Hi,

    this is a very good point, thank you.
    We improved SSL security for LiveConfig itself at short notice today (see issue #42) and will add the required configuration options for Apache/NGINX the next 2-3 days.

    Best regards,

    Klaus Keppler

  3. #3
    Erfahrener Benutzer
    Registriert seit
    09.07.2012
    Ort
    Spanien
    Beiträge
    273
    Fast response!

    Do you allow entering features and bug reports directly in Redmine?

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •