Port Fetch Failing
Tim Daneliuk
tundra at tundraware.com
Sun Jun 7 15:20:28 UTC 2015
On 06/01/2015 08:25 PM, Roger Marquis wrote:
> SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> SSLProtocol all -SSLv2 -SSLv3
> SSLCompression off
> SSLHonorCipherOrder on
>
This certainly works.
>
> If you're processing credit cards SSLProtocol will need to be expanded to
> "-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have
> good reason to be paranoid and all of your clients are up-to-date, add
> "-TLSv1.1".
And there's the rub. TLS1 is known to be weak, susceptible to Poodle (so is 1.1 as
I understand it, and I'd love to turn it off. Unfortunately, that's exactly
what the FreeBSD ports mechanism wants to use to get port sources as best
as I can determine. Everytime I do -TLS1, port fetches start to break.
It there a plan, I wonder to move to TLS 1.2 and be done with this?
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-ports
mailing list