Ok, so for Apache HTTPD something like this would do the job: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK SSLHonorCipherOrder on
I do not know how to do this for the CPVM java thingy that runs there; I think it's based on Jetty. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Erik Weber" <terbol...@gmail.com> > To: "dev" <dev@cloudstack.apache.org> > Sent: Monday, 9 March, 2015 09:34:08 > Subject: Re: New SSL vulnerability #FREAK > On Mon, Mar 9, 2015 at 9:59 AM, Nux! <n...@li.nux.ro> wrote: > >> BTW, the command I used is: >> >> nmap --script ssl-enum-ciphers $HOST >> >> I'm not entirely sure which cipher is good or not. >> > > Anyone with EXPORT in it is bad (in the FREAK case). > > This is a scan of my 4.3.2 systemvm with nmap: > >| ssl-enum-ciphers: >| SSLv3: >| ciphers: >| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak >| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong >| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak >| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong >| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak >| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak >| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_RSA_WITH_AES_256_CBC_SHA - strong >| TLS_RSA_WITH_DES_CBC_SHA - weak >| TLS_RSA_WITH_RC4_128_MD5 - strong >| TLS_RSA_WITH_RC4_128_SHA - strong >| compressors: >| NULL >| TLSv1.0: >| ciphers: >| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak >| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong >| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak >| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong >| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong >| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak >| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak >| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong >| TLS_RSA_WITH_AES_128_CBC_SHA - strong >| TLS_RSA_WITH_AES_256_CBC_SHA - strong >| TLS_RSA_WITH_DES_CBC_SHA - weak >| TLS_RSA_WITH_RC4_128_MD5 - strong >| TLS_RSA_WITH_RC4_128_SHA - strong > > -- > Erik
