#1480: [SAC] osgeo.org vulnerable to FREAK SSL/TLS vulnerability
---------------------------+------------------------------------------------
Reporter: dmorissette | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------
Hi SAC, this is a heads up that osgeo.org is potentially vulnerable to the
new FREAK SSL/TLS vulnerability that was reported yesterday:
More about the vulnerability at https://freakattack.com/
The page above points to a list of potentially vulnerable domains where
osgeo.org is listed:
https://freakattack.com/vulnerable.txt
{{{
67635,osgeo.org,140.211.15.66
}}}
Not sure what is involved with this, but I just thought I'd share the info
here.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1480>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1480: [SAC] osgeo.org vulnerable to FREAK SSL/TLS vulnerability
---------------------------+------------------------------------------------
Reporter: dmorissette | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------
Comment(by wildintellect):
The solution is to modify a few lines in the apache SSL conf to disable
clients from being able to downgrade the cipher.
This site will help generate the correct lines to disable bad ciphers.
Need the apache version and ssl version. This fix is similar to previous
SSL related fixes over the last year.
https://mozilla.github.io/server-side-tls/ssl-config-generator/
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1480#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1480: [SAC] osgeo.org vulnerable to FREAK SSL/TLS vulnerability
---------------------------+------------------------------------------------
Reporter: dmorissette | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+------------------------------------------------
Comment(by wildintellect):
So I tired Modern which includes -TLSv1 and that wouldn't start, dropping
it works. But eventually we should also drop TLSv1 support. This
adjustment should be applied to all osgeo SSL configured servers.
{{{
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128
-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-
RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-
AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-
AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA
:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
AES256-SHA:AES128-GCM-SHA256:AES256-GCM-
SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-
CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
}}}
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/1480#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1480: [SAC] osgeo.org vulnerable to FREAK SSL/TLS vulnerability
---------------------------+--------------------
Reporter: dmorissette | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+--------------------
Comment (by robe):
Is this still an issue or can we close?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1480#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#1480: [SAC] osgeo.org vulnerable to FREAK SSL/TLS vulnerability
---------------------------+----------------------
Reporter: dmorissette | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: wontfix
Keywords: |
---------------------------+----------------------
Changes (by strk):
* status: new => closed
* resolution: => wontfix
Comment:
I'm closing for lack of feedback. We need champions, no champion, no
change.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1480#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.