BTW, the command I used is: nmap --script ssl-enum-ciphers $HOST
I'm not entirely sure which cipher is good or not. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Nux!" <n...@li.nux.ro> > To: dev@cloudstack.apache.org > Sent: Monday, 9 March, 2015 08:58:05 > Subject: Re: New SSL vulnerability #FREAK > For further info, the tool that Erik used does not seem to give correct > results > and they recommend using nmap instead. > > Scanning my own CPVM returns this (4.4.1). I'll try to have a look inside, see > what we can do to remove the problem. > > PORT STATE SERVICE > 443/tcp open https >| ssl-enum-ciphers: >| SSLv3 >| Ciphers (12) >| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - unknown strength >| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - unknown strength >| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength >| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong >| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength >| TLS_RSA_WITH_RC4_128_MD5 - unknown strength >| TLS_RSA_WITH_RC4_128_SHA - strong >| Compressors (1) >| NULL >| TLSv1.0 >| Ciphers (12) >| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - unknown strength >| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - unknown strength >| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength >| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong >| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength >| TLS_RSA_WITH_RC4_128_MD5 - unknown strength >| TLS_RSA_WITH_RC4_128_SHA - strong >| Compressors (1) >| NULL >|_ Least strength = unknown strength > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- >> From: "Rohit Yadav" <rohit.ya...@shapeblue.com> >> To: dev@cloudstack.apache.org >> Sent: Monday, 9 March, 2015 07:35:22 >> Subject: Re: New SSL vulnerability #FREAK > >> Hi, >> >> Anyone wants to share how we should fix it for CPVM? >> >> On Wednesday 04 March 2015 05:34 PM, Erik Weber wrote: >>> You are right Rohit. >>> >>> I tested our CPVM running the same system vm template, and it exposes the >>> following ciphers: >>> >>> Testing EXP-EDH-RSA-DES-CBC-SHA...YES >>> Testing EXP-EDH-DSS-DES-CBC-SHA...NO (ssl handshake failure) >>> Testing EXP-ADH-DES-CBC-SHA...NO (ssl handshake failure) >>> Testing EXP-DES-CBC-SHA...YES >>> Testing EXP-RC2-CBC-MD5...NO (ssl handshake failure) >>> Testing EXP-ADH-RC4-MD5...NO (ssl handshake failure) >>> Testing EXP-RC4-MD5...YES >>> >>> For the record I used this tool to test: >>> https://gist.github.com/degan/70e8059507d173751294 >>> >>> I don't know how accurate it is. >>> >> >> -- >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +91 8826230892 | rohit.ya...@shapeblue.com >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> PS. If you see any footer below, I did not add it :) >> Find out more about ShapeBlue and our range of CloudStack related services >> >> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >> CloudStack Software >> Engineering<http://shapeblue.com/cloudstack-software-engineering/> >> CloudStack Infrastructure >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> >> CloudStack Bootcamp Training >> Courses<http://shapeblue.com/cloudstack-training/> >> >> This email and any attachments to it may be confidential and are intended >> solely >> for the use of the individual to whom it is addressed. Any views or opinions >> expressed are solely those of the author and do not necessarily represent >> those >> of Shape Blue Ltd or related companies. If you are not the intended recipient >> of this email, you must neither take any action based upon its contents, nor >> copy or show it to anyone. Please contact the sender if you believe you have >> received this email in error. Shape Blue Ltd is a company incorporated in >> England & Wales. ShapeBlue Services India LLP is a company incorporated in >> India and is operated under license from Shape Blue Ltd. Shape Blue Brasil >> Consultoria Ltda is a company incorporated in Brasil and is operated under >> license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by >> The Republic of South Africa and is traded under license from Shape Blue Ltd. > > ShapeBlue is a registered trademark.
