From owner-freebsd-ports@FreeBSD.ORG Tue Jun 2 00:10:02 2015 Return-Path: Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5D1312E6 for ; Tue, 2 Jun 2015 00:10:02 +0000 (UTC) (envelope-from fullermd@over-yonder.net) Received: from thyme.infocus-llc.com (thyme.infocus-llc.com [199.15.120.10]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3809E15FD for ; Tue, 2 Jun 2015 00:10:02 +0000 (UTC) (envelope-from fullermd@over-yonder.net) Received: from draco.over-yonder.net (c-75-65-60-66.hsd1.ms.comcast.net [75.65.60.66]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by thyme.infocus-llc.com (Postfix) with ESMTPSA id 52AE237B54F; Mon, 1 Jun 2015 19:09:55 -0500 (CDT) Received: by draco.over-yonder.net (Postfix, from userid 100) id 3m0tzQ5gwKz1lZ; Mon, 1 Jun 2015 19:09:54 -0500 (CDT) Date: Mon, 1 Jun 2015 19:09:54 -0500 From: "Matthew D. Fuller" To: Tim Daneliuk Cc: FreeBSD Ports Mailing List Subject: Re: Port Fetch Failing Message-ID: <20150602000954.GF1733@over-yonder.net> References: <556CEBE2.7030005@tundraware.com> <556CEEB8.2090406@delphij.net> <556CF2B1.30100@tundraware.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <556CF2B1.30100@tundraware.com> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.5.23-fullermd.4 (2014-03-12) X-Virus-Scanned: clamav-milter 0.98.7 at thyme.infocus-llc.com X-Virus-Status: Clean X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 00:10:02 -0000 On Mon, Jun 01, 2015 at 07:02:57PM -0500 I heard the voice of Tim Daneliuk, and lo! it spake thus: > > This is what happens when you are: A) In a hurry and B) Paranoid and > C) Willing to copypasta a config without thought :( > > Thanks to you and Chuck, I have a more reasonable (I think): > > SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-eNULL:-SSLv3:-SSLv2:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA256 That still looks awful weird. Paranoid, and enabling +LOW? If you're having to explicitly list ciphers, you're probably on the wrong path... And I suspect the "-SSLv3:-SSLv2" isn't really what you want. You probably want to disable the _protocols_, not the _ciphers_. e.g., on a 10.x machine, I have SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 SSLProtocol All -SSLv2 -SSLv3 (I figure every extra character on the CipherSuite line means either I'm way smarter, or way dumber. And there's only so much smarter I can get, so...) -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream.