How to disable insecure protocols and ciphers?

[James Bearden]

Hello,

I am using the standard version of Mojolicious that comes with Ubuntu 14.04 (4.63) with a secure certificate. I tried a while ago to proxy through Apache, but after a bunch of research, trial, and error I ended up with an open proxy for my troubles. So now I just have Mojolicious serving up pages directly. It's working great, but when I test my SSL setup at https://www.ssllabs.com/ssltest/ it suggests that I disable the SSL 3 protocol and RC4 protocol.

So how do I go about doing that?

James

[Dan Book]

Hello,

If you are using the latest version of IO::Socket::SSL it should use the appropriate protocols and ciphers. Try updating that module.

-Dan

--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.

[James Bearden]

Unfortunately using stock debs prevents me from (easily) upgrading any perl module, including IO::Socket::SSL. However, after a bit of research I decided to edit Mojo/IOLoop/Server.pm and tweak how Mojo invokes IO::Socket::SSL. The change is below, and it's not a great solution but I am trying to optimize here and not fix an actual bug. The worst thing that can happen is that a new version of Mojo is released for Ubuntu 14.04 LTS and I lose this optimization. With this change my ssllabs score went from a B to an A-. I WOULD have to upgrade my version of IO::Socket::SSL to get any higher at this point.

 SSL_version => 'SSLv23:!SSLv3:!SSLv2',
 SSL_cipher_list => 'ALL:!LOW:!EXP:!aNULL:!RC4',

Just to be clear, if you are using cpan or something like that to use the latest version of everything I'm sure that you are already covered and you can ignore this thread. I have just made the decision to A) ensure my development and production environments are always identical, B) schedule all my conversion effort, risk, and pain for when a new version of Ubuntu LTS comes out, and C) not be rushed to roll out those changes until they are well tested.

James

[Helmut Wollmersdorfer]

Am Freitag, 10. April 2015 14:29:57 UTC+2 schrieb James Bearden:

Unfortunately using stock debs prevents me from (easily) upgrading any perl module, including IO::Socket::SSL. 

Sooner or later  you will give up using stock debs for perl-modules.

Best practice is maybe to build your own package of your App and declare the dependencies in it with minimum versions, and then install it with cpan or cpanm.

You never can be sure to have everything the same between your dev and production. Thus make it portable in stressing the tests by using different perls in development, using perlbrew.

Helmut Wollmersdorfer

[Joel Berger]

On Friday, April 10, 2015 at 7:29:57 AM UTC-5, James Bearden wrote:

Unfortunately using stock debs prevents me from (easily) upgrading any perl module, including IO::Socket::SSL.

Ah the "because I have to use the approved/vetted (ha!) pre-built binary packages I'm now being insecure. I wish companies would get over this insane addiction to packages. Sigh