You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Nux! <nu...@li.nux.ro> on 2015/03/04 02:21:41 UTC
New SSL vulnerability #FREAK
https://freakattack.com/
That time of the month again. Secure your stuff, folks.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
Re: New SSL vulnerability #FREAK
Posted by John Kinsella <jl...@stratosec.co>.
I don't *think* ACS is vulnerable, but haven't gotten a chance to confirm that yet.
Excuse any typos - sent from mobile device
> On Mar 3, 2015, at 17:23, Nux! <nu...@li.nux.ro> wrote:
>
> https://freakattack.com/
>
> That time of the month again. Secure your stuff, folks.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
Re: New SSL vulnerability #FREAK
Posted by John Kinsella <jl...@stratosec.co>.
Thanks for confirmation, Eric
Pardon any typos - sent from mobile device
Stratosec<http://stratosec.co/>
o: 415.315.9385<tel:415.315.9385>
@johnlkinsella<http://twitter.com/johnlkinsella>
On Mar 3, 2015, at 10:59 PM, Erik Weber <te...@gmail.com>> wrote:
On Wed, Mar 4, 2015 at 2:21 AM, Nux! <nu...@li.nux.ro>> wrote:
https://freakattack.com/
That time of the month again. Secure your stuff, folks.
Tried against the SSVM on a CCP 4.3.2 installation, with updated system vm
template (think it was Beast or shellshock).
Does not export the mentioned ciphers.
--
Erik
Re: New SSL vulnerability #FREAK
Posted by Rohit Yadav <ro...@shapeblue.com>.
Thanks for checking Erik, I'll check it again tomorrow and put in a fix
if necessary.
On Wednesday 04 March 2015 05:34 PM, Erik Weber wrote:
> You are right Rohit.
>
> I tested our CPVM running the same system vm template, and it exposes the
> following ciphers:
>
> Testing EXP-EDH-RSA-DES-CBC-SHA...YES
> Testing EXP-EDH-DSS-DES-CBC-SHA...NO (ssl handshake failure)
> Testing EXP-ADH-DES-CBC-SHA...NO (ssl handshake failure)
> Testing EXP-DES-CBC-SHA...YES
> Testing EXP-RC2-CBC-MD5...NO (ssl handshake failure)
> Testing EXP-ADH-RC4-MD5...NO (ssl handshake failure)
> Testing EXP-RC4-MD5...YES
>
> For the record I used this tool to test:
> https://gist.github.com/degan/70e8059507d173751294
>
> I don't know how accurate it is.
>
--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: New SSL vulnerability #FREAK
Posted by ilya musayev <il...@gmail.com>.
This might be relevant, ways to disable weak ciphers for port 8250, i'm
under impression same can be done for all java related processes. This
came from Citrix security team sometime in August, when we reached and
mentioned that 8250 exposes weak ciphers as per internal audit.
------------
Who Should apply this workaround?
This workaround is to make SSL Ciphers stronger than 128 bits. This
workaround is for customers running Citrix CloudPlatform version 3.x and
above. Apply this workaround on all the CloudPlatform 3.x and above
Management Servers.
Package Name
NA
Issues Resolved In This Hotfix
This workaround resolves the following issue:
CS-17504: Weak SSL ciphers supported by the management server
Installing the Hotfix
Use the following steps to for the workaround. As with any software
update, please back up your data before applying this workaround.
1. Stop the Management Server:# service cloudstack-management stop.
2. First Backup and then Modify java.security file at following
location (You may have different location based on your Java version),
if you are unsure, do a “find / -name java.security” to get the exact
location): #
cp
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
java.security.backup
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51.x86_64/jre/lib/security/java.security
3. Make following changes to java.security:#
#Start of Edit
#Following are the default settings, needs to be commented.
#jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
#Following needs to be added
jdk.tls.disabledAlgorithms=DH keySize < 128, RSA keySize < 128, DES
keySize < 128, SHA1 keySize < 128, MD5 keySize < 128, RC4 keySize < 128
# End of edit
4. Start the Management Server: # service cloudstack-management start.
Log in to the CloudPlatform UI as administrator, and check the status of
the hosts. All hosts should come to Up state (except those that you know
to be offline). You may need to wait 20 or 30 minutes, depending on the
number of hosts.
Troubleshooting: If login fails, clear your browser cache and reload the
page.
On 3/9/15 5:05 AM, Rohit Yadav wrote:
> Hi Lucian,
>
> I made a similar fix on 4.5/master today for apache2. I'm not sure how
> to deal with this in Java. There are ways to get enabled cipher suites,
> but should we be doing this or configuring the jre security settings?
>
> On Monday 09 March 2015 04:21 PM, Nux! wrote:
>> Ok, so for Apache HTTPD something like this would do the job:
>>
>> SSLProtocol all -SSLv2 -SSLv3 -TLSv1
>> SSLCipherSuite
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
>> SSLHonorCipherOrder on
>>
>> I do not know how to do this for the CPVM java thingy that runs
>> there; I think it's based on Jetty.
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>>
>> ----- Original Message -----
>>> From: "Erik Weber" <te...@gmail.com>
>>> To: "dev" <de...@cloudstack.apache.org>
>>> Sent: Monday, 9 March, 2015 09:34:08
>>> Subject: Re: New SSL vulnerability #FREAK
>>
>>> On Mon, Mar 9, 2015 at 9:59 AM, Nux! <nu...@li.nux.ro> wrote:
>>>
>>>> BTW, the command I used is:
>>>>
>>>> nmap --script ssl-enum-ciphers $HOST
>>>>
>>>> I'm not entirely sure which cipher is good or not.
>>>>
>>>
>>> Anyone with EXPORT in it is bad (in the FREAK case).
>>>
>>> This is a scan of my 4.3.2 systemvm with nmap:
>>>
>>> | ssl-enum-ciphers:
>>> | SSLv3:
>>> | ciphers:
>>> | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>>> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>>> | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>>> | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>>> | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>>> | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>>> | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>>> | TLS_RSA_WITH_AES_128_CBC_SHA - strong
>>> | TLS_RSA_WITH_AES_256_CBC_SHA - strong
>>> | TLS_RSA_WITH_DES_CBC_SHA - weak
>>> | TLS_RSA_WITH_RC4_128_MD5 - strong
>>> | TLS_RSA_WITH_RC4_128_SHA - strong
>>> | compressors:
>>> | NULL
>>> | TLSv1.0:
>>> | ciphers:
>>> | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>>> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>>> | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>>> | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>>> | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>>> | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>>> | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>>> | TLS_RSA_WITH_AES_128_CBC_SHA - strong
>>> | TLS_RSA_WITH_AES_256_CBC_SHA - strong
>>> | TLS_RSA_WITH_DES_CBC_SHA - weak
>>> | TLS_RSA_WITH_RC4_128_MD5 - strong
>>> | TLS_RSA_WITH_RC4_128_SHA - strong
>>>
>>> --
>>> Erik
>
> --
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 8826230892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
> PS. If you see any footer below, I did not add it :)
> Find out more about ShapeBlue and our range of CloudStack related
> services
>
> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Shape Blue Ltd or related
> companies. If you are not the intended recipient of this email, you
> must neither take any action based upon its contents, nor copy or show
> it to anyone. Please contact the sender if you believe you have
> received this email in error. Shape Blue Ltd is a company incorporated
> in England & Wales. ShapeBlue Services India LLP is a company
> incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA
> Pty Ltd is a company registered by The Republic of South Africa and is
> traded under license from Shape Blue Ltd. ShapeBlue is a registered
> trademark.
Re: New SSL vulnerability #FREAK
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Lucian,
I made a similar fix on 4.5/master today for apache2. I'm not sure how
to deal with this in Java. There are ways to get enabled cipher suites,
but should we be doing this or configuring the jre security settings?
On Monday 09 March 2015 04:21 PM, Nux! wrote:
> Ok, so for Apache HTTPD something like this would do the job:
>
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1
> SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
> SSLHonorCipherOrder on
>
> I do not know how to do this for the CPVM java thingy that runs there; I think it's based on Jetty.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Erik Weber" <te...@gmail.com>
>> To: "dev" <de...@cloudstack.apache.org>
>> Sent: Monday, 9 March, 2015 09:34:08
>> Subject: Re: New SSL vulnerability #FREAK
>
>> On Mon, Mar 9, 2015 at 9:59 AM, Nux! <nu...@li.nux.ro> wrote:
>>
>>> BTW, the command I used is:
>>>
>>> nmap --script ssl-enum-ciphers $HOST
>>>
>>> I'm not entirely sure which cipher is good or not.
>>>
>>
>> Anyone with EXPORT in it is bad (in the FREAK case).
>>
>> This is a scan of my 4.3.2 systemvm with nmap:
>>
>> | ssl-enum-ciphers:
>> | SSLv3:
>> | ciphers:
>> | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>> | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>> | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>> | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>> | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> | TLS_RSA_WITH_AES_128_CBC_SHA - strong
>> | TLS_RSA_WITH_AES_256_CBC_SHA - strong
>> | TLS_RSA_WITH_DES_CBC_SHA - weak
>> | TLS_RSA_WITH_RC4_128_MD5 - strong
>> | TLS_RSA_WITH_RC4_128_SHA - strong
>> | compressors:
>> | NULL
>> | TLSv1.0:
>> | ciphers:
>> | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>> | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>> | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>> | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>> | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>> | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>> | TLS_RSA_WITH_AES_128_CBC_SHA - strong
>> | TLS_RSA_WITH_AES_256_CBC_SHA - strong
>> | TLS_RSA_WITH_DES_CBC_SHA - weak
>> | TLS_RSA_WITH_RC4_128_MD5 - strong
>> | TLS_RSA_WITH_RC4_128_SHA - strong
>>
>> --
>> Erik
--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: New SSL vulnerability #FREAK
Posted by Nux! <nu...@li.nux.ro>.
Ok, so for Apache HTTPD something like this would do the job:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
I do not know how to do this for the CPVM java thingy that runs there; I think it's based on Jetty.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Erik Weber" <te...@gmail.com>
> To: "dev" <de...@cloudstack.apache.org>
> Sent: Monday, 9 March, 2015 09:34:08
> Subject: Re: New SSL vulnerability #FREAK
> On Mon, Mar 9, 2015 at 9:59 AM, Nux! <nu...@li.nux.ro> wrote:
>
>> BTW, the command I used is:
>>
>> nmap --script ssl-enum-ciphers $HOST
>>
>> I'm not entirely sure which cipher is good or not.
>>
>
> Anyone with EXPORT in it is bad (in the FREAK case).
>
> This is a scan of my 4.3.2 systemvm with nmap:
>
>| ssl-enum-ciphers:
>| SSLv3:
>| ciphers:
>| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_RSA_WITH_AES_256_CBC_SHA - strong
>| TLS_RSA_WITH_DES_CBC_SHA - weak
>| TLS_RSA_WITH_RC4_128_MD5 - strong
>| TLS_RSA_WITH_RC4_128_SHA - strong
>| compressors:
>| NULL
>| TLSv1.0:
>| ciphers:
>| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
>| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
>| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_RSA_WITH_AES_256_CBC_SHA - strong
>| TLS_RSA_WITH_DES_CBC_SHA - weak
>| TLS_RSA_WITH_RC4_128_MD5 - strong
>| TLS_RSA_WITH_RC4_128_SHA - strong
>
> --
> Erik
Re: New SSL vulnerability #FREAK
Posted by Erik Weber <te...@gmail.com>.
On Mon, Mar 9, 2015 at 9:59 AM, Nux! <nu...@li.nux.ro> wrote:
> BTW, the command I used is:
>
> nmap --script ssl-enum-ciphers $HOST
>
> I'm not entirely sure which cipher is good or not.
>
Anyone with EXPORT in it is bad (in the FREAK case).
This is a scan of my 4.3.2 systemvm with nmap:
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
--
Erik
Re: New SSL vulnerability #FREAK
Posted by Nux! <nu...@li.nux.ro>.
BTW, the command I used is:
nmap --script ssl-enum-ciphers $HOST
I'm not entirely sure which cipher is good or not.
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Nux!" <nu...@li.nux.ro>
> To: dev@cloudstack.apache.org
> Sent: Monday, 9 March, 2015 08:58:05
> Subject: Re: New SSL vulnerability #FREAK
> For further info, the tool that Erik used does not seem to give correct results
> and they recommend using nmap instead.
>
> Scanning my own CPVM returns this (4.4.1). I'll try to have a look inside, see
> what we can do to remove the problem.
>
> PORT STATE SERVICE
> 443/tcp open https
>| ssl-enum-ciphers:
>| SSLv3
>| Ciphers (12)
>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - unknown strength
>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
>| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
>| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
>| TLS_RSA_WITH_RC4_128_SHA - strong
>| Compressors (1)
>| NULL
>| TLSv1.0
>| Ciphers (12)
>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - unknown strength
>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
>| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
>| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
>| TLS_RSA_WITH_AES_128_CBC_SHA - strong
>| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
>| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
>| TLS_RSA_WITH_RC4_128_SHA - strong
>| Compressors (1)
>| NULL
>|_ Least strength = unknown strength
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Rohit Yadav" <ro...@shapeblue.com>
>> To: dev@cloudstack.apache.org
>> Sent: Monday, 9 March, 2015 07:35:22
>> Subject: Re: New SSL vulnerability #FREAK
>
>> Hi,
>>
>> Anyone wants to share how we should fix it for CPVM?
>>
>> On Wednesday 04 March 2015 05:34 PM, Erik Weber wrote:
>>> You are right Rohit.
>>>
>>> I tested our CPVM running the same system vm template, and it exposes the
>>> following ciphers:
>>>
>>> Testing EXP-EDH-RSA-DES-CBC-SHA...YES
>>> Testing EXP-EDH-DSS-DES-CBC-SHA...NO (ssl handshake failure)
>>> Testing EXP-ADH-DES-CBC-SHA...NO (ssl handshake failure)
>>> Testing EXP-DES-CBC-SHA...YES
>>> Testing EXP-RC2-CBC-MD5...NO (ssl handshake failure)
>>> Testing EXP-ADH-RC4-MD5...NO (ssl handshake failure)
>>> Testing EXP-RC4-MD5...YES
>>>
>>> For the record I used this tool to test:
>>> https://gist.github.com/degan/70e8059507d173751294
>>>
>>> I don't know how accurate it is.
>>>
>>
>> --
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 8826230892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>> PS. If you see any footer below, I did not add it :)
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Software
>> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely
>> for the use of the individual to whom it is addressed. Any views or opinions
>> expressed are solely those of the author and do not necessarily represent those
>> of Shape Blue Ltd or related companies. If you are not the intended recipient
>> of this email, you must neither take any action based upon its contents, nor
>> copy or show it to anyone. Please contact the sender if you believe you have
>> received this email in error. Shape Blue Ltd is a company incorporated in
>> England & Wales. ShapeBlue Services India LLP is a company incorporated in
>> India and is operated under license from Shape Blue Ltd. Shape Blue Brasil
>> Consultoria Ltda is a company incorporated in Brasil and is operated under
>> license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by
>> The Republic of South Africa and is traded under license from Shape Blue Ltd.
> > ShapeBlue is a registered trademark.
Re: New SSL vulnerability #FREAK
Posted by Nux! <nu...@li.nux.ro>.
For further info, the tool that Erik used does not seem to give correct results and they recommend using nmap instead.
Scanning my own CPVM returns this (4.4.1). I'll try to have a look inside, see what we can do to remove the problem.
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3
| Ciphers (12)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - unknown strength
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
| TLSv1.0
| Ciphers (12)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - unknown strength
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
|_ Least strength = unknown strength
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Rohit Yadav" <ro...@shapeblue.com>
> To: dev@cloudstack.apache.org
> Sent: Monday, 9 March, 2015 07:35:22
> Subject: Re: New SSL vulnerability #FREAK
> Hi,
>
> Anyone wants to share how we should fix it for CPVM?
>
> On Wednesday 04 March 2015 05:34 PM, Erik Weber wrote:
>> You are right Rohit.
>>
>> I tested our CPVM running the same system vm template, and it exposes the
>> following ciphers:
>>
>> Testing EXP-EDH-RSA-DES-CBC-SHA...YES
>> Testing EXP-EDH-DSS-DES-CBC-SHA...NO (ssl handshake failure)
>> Testing EXP-ADH-DES-CBC-SHA...NO (ssl handshake failure)
>> Testing EXP-DES-CBC-SHA...YES
>> Testing EXP-RC2-CBC-MD5...NO (ssl handshake failure)
>> Testing EXP-ADH-RC4-MD5...NO (ssl handshake failure)
>> Testing EXP-RC4-MD5...YES
>>
>> For the record I used this tool to test:
>> https://gist.github.com/degan/70e8059507d173751294
>>
>> I don't know how accurate it is.
>>
>
> --
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 8826230892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
> PS. If you see any footer below, I did not add it :)
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software
> Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely
> for the use of the individual to whom it is addressed. Any views or opinions
> expressed are solely those of the author and do not necessarily represent those
> of Shape Blue Ltd or related companies. If you are not the intended recipient
> of this email, you must neither take any action based upon its contents, nor
> copy or show it to anyone. Please contact the sender if you believe you have
> received this email in error. Shape Blue Ltd is a company incorporated in
> England & Wales. ShapeBlue Services India LLP is a company incorporated in
> India and is operated under license from Shape Blue Ltd. Shape Blue Brasil
> Consultoria Ltda is a company incorporated in Brasil and is operated under
> license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by
> The Republic of South Africa and is traded under license from Shape Blue Ltd.
> ShapeBlue is a registered trademark.
Re: New SSL vulnerability #FREAK
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi,
Anyone wants to share how we should fix it for CPVM?
On Wednesday 04 March 2015 05:34 PM, Erik Weber wrote:
> You are right Rohit.
>
> I tested our CPVM running the same system vm template, and it exposes the
> following ciphers:
>
> Testing EXP-EDH-RSA-DES-CBC-SHA...YES
> Testing EXP-EDH-DSS-DES-CBC-SHA...NO (ssl handshake failure)
> Testing EXP-ADH-DES-CBC-SHA...NO (ssl handshake failure)
> Testing EXP-DES-CBC-SHA...YES
> Testing EXP-RC2-CBC-MD5...NO (ssl handshake failure)
> Testing EXP-ADH-RC4-MD5...NO (ssl handshake failure)
> Testing EXP-RC4-MD5...YES
>
> For the record I used this tool to test:
> https://gist.github.com/degan/70e8059507d173751294
>
> I don't know how accurate it is.
>
--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: New SSL vulnerability #FREAK
Posted by Erik Weber <te...@gmail.com>.
You are right Rohit.
I tested our CPVM running the same system vm template, and it exposes the
following ciphers:
Testing EXP-EDH-RSA-DES-CBC-SHA...YES
Testing EXP-EDH-DSS-DES-CBC-SHA...NO (ssl handshake failure)
Testing EXP-ADH-DES-CBC-SHA...NO (ssl handshake failure)
Testing EXP-DES-CBC-SHA...YES
Testing EXP-RC2-CBC-MD5...NO (ssl handshake failure)
Testing EXP-ADH-RC4-MD5...NO (ssl handshake failure)
Testing EXP-RC4-MD5...YES
For the record I used this tool to test:
https://gist.github.com/degan/70e8059507d173751294
I don't know how accurate it is.
--
Erik
On Wed, Mar 4, 2015 at 12:42 PM, Rohit Yadav <ro...@shapeblue.com>
wrote:
> Thanks for checking Erik, I think we should also check console proxy as
> it serves on HTTP/S as well.
>
>
> On Wednesday 04 March 2015 12:27 PM, Erik Weber wrote:
>
>> On Wed, Mar 4, 2015 at 2:21 AM, Nux! <nu...@li.nux.ro> wrote:
>>
>> https://freakattack.com/
>>>
>>> That time of the month again. Secure your stuff, folks.
>>>
>>>
>>> Tried against the SSVM on a CCP 4.3.2 installation, with updated system
>> vm
>> template (think it was Beast or shellshock).
>> Does not export the mentioned ciphers.
>>
>>
> --
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 8826230892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
> PS. If you see any footer below, I did not add it :)
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/
> iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-
> engineering/>
> CloudStack Infrastructure Support<http://shapeblue.com/
> cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/
> cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the sender
> if you believe you have received this email in error. Shape Blue Ltd is a
> company incorporated in England & Wales. ShapeBlue Services India LLP is a
> company incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil
> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is
> a company registered by The Republic of South Africa and is traded under
> license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
Re: New SSL vulnerability #FREAK
Posted by Rohit Yadav <ro...@shapeblue.com>.
Thanks for checking Erik, I think we should also check console proxy as
it serves on HTTP/S as well.
On Wednesday 04 March 2015 12:27 PM, Erik Weber wrote:
> On Wed, Mar 4, 2015 at 2:21 AM, Nux! <nu...@li.nux.ro> wrote:
>
>> https://freakattack.com/
>>
>> That time of the month again. Secure your stuff, folks.
>>
>>
> Tried against the SSVM on a CCP 4.3.2 installation, with updated system vm
> template (think it was Beast or shellshock).
> Does not export the mentioned ciphers.
>
--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: New SSL vulnerability #FREAK
Posted by John Kinsella <jl...@stratosec.co>.
Pardon any typos - sent from mobile device
Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385<tel:415.315.9385>
@johnlkinsella<http://twitter.com/johnlkinsella>
On Mar 3, 2015, at 10:59 PM, Erik Weber <te...@gmail.com>> wrote:
On Wed, Mar 4, 2015 at 2:21 AM, Nux! <nu...@li.nux.ro>> wrote:
https://freakattack.com/
That time of the month again. Secure your stuff, folks.
Tried against the SSVM on a CCP 4.3.2 installation, with updated system vm
template (think it was Beast or shellshock).
Does not export the mentioned ciphers.
--
Erik
Re: New SSL vulnerability #FREAK
Posted by John Kinsella <jl...@stratosec.co>.
Thanks for confirmation, Eric
Pardon any typos - sent from mobile device
Stratosec<http://stratosec.co/>
o: 415.315.9385<tel:415.315.9385>
@johnlkinsella<http://twitter.com/johnlkinsella>
On Mar 3, 2015, at 10:59 PM, Erik Weber <te...@gmail.com>> wrote:
On Wed, Mar 4, 2015 at 2:21 AM, Nux! <nu...@li.nux.ro>> wrote:
https://freakattack.com/
That time of the month again. Secure your stuff, folks.
Tried against the SSVM on a CCP 4.3.2 installation, with updated system vm
template (think it was Beast or shellshock).
Does not export the mentioned ciphers.
--
Erik
Re: New SSL vulnerability #FREAK
Posted by Erik Weber <te...@gmail.com>.
On Wed, Mar 4, 2015 at 2:21 AM, Nux! <nu...@li.nux.ro> wrote:
> https://freakattack.com/
>
> That time of the month again. Secure your stuff, folks.
>
>
Tried against the SSVM on a CCP 4.3.2 installation, with updated system vm
template (think it was Beast or shellshock).
Does not export the mentioned ciphers.
--
Erik
Re: New SSL vulnerability #FREAK
Posted by John Kinsella <jl...@stratosec.co>.
I don't *think* ACS is vulnerable, but haven't gotten a chance to confirm that yet.
Excuse any typos - sent from mobile device
> On Mar 3, 2015, at 17:23, Nux! <nu...@li.nux.ro> wrote:
>
> https://freakattack.com/
>
> That time of the month again. Secure your stuff, folks.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro