Hi,
By now you have probably been made aware of a security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
I don't intend to open tickets with individual customers and nag
until this is fixed, because it's very time-consuming to do that.
To check if your server needs reconfiguring:
https://www.tinfoilsecurity.com/poodle
To disable SSLv3 on Apache newer than 2.2:
Add "-SSLv3" to the end of the "SSLProtocol" line which can
normally be found in /etc/apache2/mods-available/ssl.conf on
Debian and Ubuntu.
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
Nginx:
Make sure that the "ssl_protocols" line does not contain the
string "SSLv3". e.g.:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
is good.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
You may be aware of the "free LWN for a year" offer:
https://tools.bitfolk.com/wiki/Free_LWN_subscriptions
The current set of subscriptions are up for renewal on 28th November
and I don't intend to renew them. Therefore those of you currently
using them are going to need to pay for an account if you wish to
continue using LWN as a subscriber after that point.
The reason for this is that for the last couple of years it's
actually been quite hard to give these away to new customers, and
it's not something I want to just keep giving away to the same
people.
I think something like an electronic subscription to Linux Voice may
be more desirable, and that's something I'm willing to explore if
they implement an institution subscription system. That is an idea
I've heard them mention in passing but I'm not sure it will ever
happen as although I think it might be a better fit for BitFolk
customers, it's hard to imagine it being that popular amongst
institutions.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Greetings
I'm wondering whatever Bitfolk has made any preliminary plans in regards
to the still embargoed XSA-108 Xen security issue? If it turns out to be
something sufficiently bad, can we expect short notice patching-reboots?
Asking since at least both Amazon EC2 and Rackspace have scheduled
reboots, presumably XSA-108 related.
On that note, has Bitfolk made any attempts to get on the Xen
pre-disclosure list? I see that prgmr.com recently got added to it, and
they kind of appear to be in the same category as Bitfolk.
// Andreas
