Hi,
By now you have probably been made aware of a security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
I don't intend to open tickets with individual customers and nag
until this is fixed, because it's very time-consuming to do that.
To check if your server needs reconfiguring:
https://www.tinfoilsecurity.com/poodle
To disable SSLv3 on Apache newer than 2.2:
Add "-SSLv3" to the end of the "SSLProtocol" line which can
normally be found in /etc/apache2/mods-available/ssl.conf on
Debian and Ubuntu.
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
Nginx:
Make sure that the "ssl_protocols" line does not contain the
string "SSLv3". e.g.:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
is good.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Around 1432Z IPv6 connectivity to all hosts was lost, and VPSes on
kwak.bitfolk.com became unreachable (both IPv4 and v6).
Subsequent investigation has revealed that kwak.bitfolk.com was
unexpectedly power cycled and returned in a configuration that had
no networking.
IPv6 connectivity was restored at around 1503Z and VPSes hosted on
kwak.bitfolk.com are now in the process of being booted again.
If you are unable to reach your VPS, and it is hosted on
kwak.bitfolk.com¹, please log in to your Xen Shell and look at its
console to see what is happening:
https://tools.bitfolk.com/wiki/Xen_Shell
There is a high possibility that the VPS is still booting, is
performing a filesystem check, or has failed to boot because of some
configuration problem local to your VPS.
If you have ruled all of those out then please do send a support
ticket to support(a)bitfolk.com. For those of you with Nagios
monitoring set up I will be watching to make sure any alerts
recover where that is within my power.
To follow:
- How kwak came to be power cycled
- Why it didn't boot with networking enabled
- Why IPv6 broke for everyone even though it should have failed over
to another router.
Cheers,
Andy
¹ If you don't know, you can find out which piece of hardware your
VPS is hosted on as follows:
https://bitfolk.com/customer_information.html#toc_3_Which_piece_of_actual_h…
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Please consider the environment before reading this e-mail.
— John Levine
