Logjam attack Pure-ftpd question

Discussion in 'HOWTO-Related Questions' started by orasis, May 21, 2015.

  1. orasis

    orasis Member

    Hi, in the recent HOWTO of this page: https://www.howtoforge.com/tutorial...-and-ubuntu-server-against-the-logjam-attack/
    .. in the Pure-ftpd it says "and enter the following cipher list:" followed by the code line:
    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    Once I had followed a previous HOWTO related to the "poodle SSL attack": http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack
    .. my question is, do I add the new code to the already existing line in this file or do I replace it ?
    Currently my /etc/pure-ftpd/conf/TLSCipherSuite has this code inside:
    Code:
    HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
    Should I just add the new code-line like this ?
    Code:
    HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    .. or I should just remove the previous line completely ?

    Thanks for the great tutorial and the notification.
    Waiting for your reply.
     
    orasis, May 21, 2015
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Replace it. The new code is simply a more detailed list based on the recommendations from weakdh.org.
     
    till, May 21, 2015
    #2
    mlmateos and orasis like this.
  3. orasis

    orasis Member

    till ! thanks ! :D
    have a great day
    George
     
    orasis, May 21, 2015
    #3
  4. orasis

    orasis Member

    oh by the way, do you think re-generating all self-signed protocols is a good idea or would that be useless in this case ?
     
    orasis, May 21, 2015
    #4

Share This Page