Port Fetch Failing

Roger Marquis marquis at roble.com
Tue Jun 2 01:25:16 UTC 2015

>> Thanks to you and Chuck, I have a more reasonable (I think):

Reasonable depends on the use case.  Though this topic would be better
discussed on freebsd-security@, the good advice given on
and <https://weakdh.org/sysadmin.html> tends to recommend:

  SSLProtocol         all -SSLv2 -SSLv3
  SSLCompression      off
  SSLHonorCipherOrder on

and if you're using httpd 2.3.3 or higher:

  SSLUseStapling          on
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors off
  SSLStaplingCache        shmcb:/var/run/ocsp(128000)

If you're processing credit cards SSLProtocol will need to be expanded to
"-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have
good reason to be paranoid and all of your clients are up-to-date, add

Roger Marquis

More information about the freebsd-ports mailing list