Opened 10 years ago
Closed 7 years ago
#1480 closed task (wontfix)
[SAC] osgeo.org vulnerable to FREAK SSL/TLS vulnerability
| Reported by: | dmorissette | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
Hi SAC, this is a heads up that osgeo.org is potentially vulnerable to the new FREAK SSL/TLS vulnerability that was reported yesterday:
More about the vulnerability at https://freakattack.com/
The page above points to a list of potentially vulnerable domains where osgeo.org is listed:
https://freakattack.com/vulnerable.txt
67635,osgeo.org,140.211.15.66
Not sure what is involved with this, but I just thought I'd share the info here.
Change History (4)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
So I tired Modern which includes -TLSv1 and that wouldn't start, dropping it works. But eventually we should also drop TLSv1 support. This adjustment should be applied to all osgeo SSL configured servers.
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
comment:4 by , 7 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
I'm closing for lack of feedback. We need champions, no champion, no change.
Note:
See TracTickets
for help on using tickets.
The solution is to modify a few lines in the apache SSL conf to disable clients from being able to downgrade the cipher.
This site will help generate the correct lines to disable bad ciphers. Need the apache version and ssl version. This fix is similar to previous SSL related fixes over the last year. https://mozilla.github.io/server-side-tls/ssl-config-generator/