Date: Sun, 07 Jun 2015 10:20:09 -0500 From: Tim Daneliuk <tundra@tundraware.com> To: Roger Marquis <marquis@roble.com> Cc: FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG> Subject: Re: Port Fetch Failing Message-ID: <55746129.2060406@tundraware.com> In-Reply-To: <201506020139.t521dlZx018515@ozzie.tundraware.com> References: <556CEBE2.7030005@tundraware.com> <556CEEB8.2090406@delphij.net> <556CF2B1.30100@tundraware.com> <20150602000954.GF1733@over-yonder.net> <201506020139.t521dlZx018515@ozzie.tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/01/2015 08:25 PM, Roger Marquis wrote: > SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > SSLProtocol all -SSLv2 -SSLv3 > SSLCompression off > SSLHonorCipherOrder on > This certainly works. > > If you're processing credit cards SSLProtocol will need to be expanded to > "-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have > good reason to be paranoid and all of your clients are up-to-date, add > "-TLSv1.1". And there's the rub. TLS1 is known to be weak, susceptible to Poodle (so is 1.1 as I understand it, and I'd love to turn it off. Unfortunately, that's exactly what the FreeBSD ports mechanism wants to use to get port sources as best as I can determine. Everytime I do -TLS1, port fetches start to break. It there a plan, I wonder to move to TLS 1.2 and be done with this? -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55746129.2060406>