On 06/01/2015 08:25 PM, Roger Marquis wrote: > SSLCipherSuite > HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > SSLProtocol all -SSLv2 -SSLv3 > SSLCompression off > SSLHonorCipherOrder on >
This certainly works. > > If you're processing credit cards SSLProtocol will need to be expanded to > "-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have > good reason to be paranoid and all of your clients are up-to-date, add > "-TLSv1.1". And there's the rub. TLS1 is known to be weak, susceptible to Poodle (so is 1.1 as I understand it, and I'd love to turn it off. Unfortunately, that's exactly what the FreeBSD ports mechanism wants to use to get port sources as best as I can determine. Everytime I do -TLS1, port fetches start to break. It there a plan, I wonder to move to TLS 1.2 and be done with this? -- ---------------------------------------------------------------------------- Tim Daneliuk [email protected] PGP Key: http://www.tundraware.com/PGP/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[email protected]"
