| Author |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
 Posted: Wed 15 Oct '14 18:01 Post subject: |
 |
|
| What if you have to support IE on XP? *coff coff* |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 15 Oct '14 19:13 Post subject: |
|
|
You don't!
If there are people on XP still using IE, soon their XP will grind to a halt from malware. Everyone that I know that is still using XP has switched to Chrome, Firefox, Opera or Safari which should (but not guaranteed) allow them some time to figure out what they are going to do. These all allow for TLS1, many 1.1 or 1.2 even. We may soon be able to quit serving TLS1 as well.
The problem is non-browser type clients for specialized tasks, these can be much harder to do away with, especially if no new version has been released for years and the company that made them has gone away.
Last edited by glsmith on Wed 15 Oct '14 19:18; edited 1 time in total |
|
| Back to top |
|
nicklowe
Joined: 15 Apr 2007
Posts: 8
|
| Posted: Wed 15 Oct '14 19:17 Post subject: |
|
|
| Please can we have an Apache build with OpenSSL 1.0.1j which includes the server side support of the downgrade protection pseudo-ciphersuite? |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 679
|
| Posted: Wed 15 Oct '14 20:23 Post subject: |
|
|
To mitigate server-side Poodle disable sslv3, for example:
SSLProtocol all -SSLv2 -SSLv3
When not popping up new (other) issues in the new OpenSSL version, we upgrade. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Wed 15 Oct '14 22:25 Post subject: |
|
|
| glsmith wrote: | You don't!
If there are people on XP still using IE, soon their XP will grind to a halt from malware. |
Well on my own servers I disabled SSLv3 a while ago. But on some servers from some big companies who still use XP I haven't find a way yet.
And I too really would like to diable TLS 1.0 soon. |
|
| Back to top |
|
nicklowe
Joined: 15 Apr 2007
Posts: 8
|
| Posted: Thu 16 Oct '14 0:52 Post subject: |
|
|
The newer OpenSSL version also put in the mechanism necessary to stop downgrade from happening with the newer TLS versions too, such as from TLS 1.2 to TLS 1.0.
Definitely worth having... The SSL Labs checker now looks for it and flags where it is missing.
As for the companies that still use XP, they can enable TLS 1.0 support in IE 6 through 8 in Internet Options or via Group Policy.
The feature is supported, just disabled by default until IE 7. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 16 Oct '14 3:26 Post subject: |
|
|
I had checked my server against SSL labs test last night and earlier today, both times they had nothing there. I see it is finally live now.
As for TLS_FALLBACK_SCSV, one thing I did see was: "There's a solution to this problem, via the TLS_FALLBACK_SCSV indicator that must be supported by clients and servers in order to be effective."
Unfortunately, the only client to support this as of now is Chrome. Seeing this, I do not see any reason to panic about TLS_FALLBACK_SCSV yet. As soon as possible should be sufficient. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Thu 16 Oct '14 7:11 Post subject: |
|
|
| If you upgrade to OpenSSL 1.0.1j, you will get TLS_FALLBACK_SCSV for free. There is no way to disable it. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Thu 16 Oct '14 7:30 Post subject: |
|
|
| nicklowe wrote: | As for the companies that still use XP, they can enable TLS 1.0 support in IE 6 through 8 in Internet Options or via Group Policy.
The feature is supported, just disabled by default until IE 7. |
On a unpatched XP SP2, you can try to enable TLS 1.0 in IE6, but it will not connect anyway. On XP SP3 with the latest security patches TLS 1.0 is enabled by default in IE8 and can be made working in IE6 |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
|
| Posted: Thu 16 Oct '14 7:36 Post subject: |
|
|
| nicklowe wrote: | | Please can we have an Apache build with OpenSSL 1.0.1j which includes the server side support of the downgrade protection pseudo-ciphersuite? |
There is a upgrade here:
http://www.apachelounge.com/viewtopic.php?p=28843#28843
Just do not enable FIPS mode and you are done. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 17 Oct '14 12:22 Post subject: |
|
|
@Admin
Is it possible to have a new compiled version including openssl 1.0.1j to activate TLS_FALLBACK_SCSV?
That would be nice and helpful.
Thanks in advance
JR |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3057
Location: Hilversum, NL, EU
|
| Posted: Fri 17 Oct '14 12:49 Post subject: |
|
|
| Yep, a little short of time due to the migration to the new provider. Planned coming days, starting with VC11. |
|
| Back to top |
|
