[BlueOnyx:21351] Re: SSL/TLS question

Michael Stauber mstauber at blueonyx.it
Fri Sep 8 21:22:25 -05 2017 

Hi Michael,

> I used an online tool to test for TLS 1.2 on a BlueOnyx server today
> because I got an email from a credit card processor that it would be
> required soon.
> 
> It passed that check but the test
> (https://cryptoreport.websecurity.symantec.com/checker/) also said the
> server was vulnerable to an attack called BEAST. 

> The note is: Make sure you have the TLSv1.2 protocol enabled on your
> server. Disable the RC4, MD5, and DES algorithms.>
> Is this accurate on our BlueOnyx configuration and what can I do to
> mitigate this attack?
See this URL for all relevant TLS related info on BlueOnyx:

http://www.blueonyx.it/index.php?mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=54&cntnt01searchinput=TLS&submit=Submit

Since June 2015 we have locked down SSL for Web and Email on BlueOnyx
and only support TLS v1.2, TLS v1.1 and TLS v1.0 (in that order) with
only the best available ciphers still enabled.

So we don't allow RC4, SSLv2 or SSLv3, no export-ciphers, no DES, no MD5
no SHA1 and follow the recommendations outlined by bettercrypto.org and
SSLlabs. Since then we optimized this several times based on new findings.

Bottom line: The encryption on BlueOnyx is as secure as the base OS
allows us to. We're *not* vulnerable to:

- BEAST attack (*)
- POODLE (SSLv3)
- POODLE (TLS)
- Downgrade attack
- Heartbeat
- Ticketbleed
- OpenSSL CCS vuln. (CVE-2014-0224)
- OpenSSL Padding vuln. (CVE-2016-2107)

(*) See: https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat

The SSL-test from Symantec is rubbish. Please try this one:

https://www.ssllabs.com/ssltest/

As for TLS in general: I'm currently working on a GUI extension that
will allow server admins to disable TLSv1.0 and TLSv1.1 if they want to
do so. Which would only leave TLSv1.2 enabled.

However: This is a bit overkill, because clients will always negotiated
the best common protocol and ciphers between client and server. So even
if you have TLSv1.0 enabled, you can be certain that all clients that
support TLSv1.2 will end up using TLSv1.2 when talking with a BlueOnyx.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list