Hi, Could anyone please tell me what are the versions of apache and openssl in RAIDiator 4.2.27.?Thank you in advance.

I have been playing yesterday with https://www.ssllabs.com/ssltest.With default settings I'm getting grade F!With only one line of adjustments my grade was bumped to B.This server does not mitigate the CRIME attack. Grade capped to B.Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. MORE INFO »The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.The server does not support Forward Secrecy with the reference browsers. MORE INFO »The only think I can improve is generate new certificate with SHA2. Rest is limited by software. Further more I can't use ECDH because it requires at least TLSv1.1. Therefore a suggestion to improve apache security out of the box (disable NULL, aNULL, eNULL, DES3, MD5 maybe RC4 even) and I hope we can get attention of Jedi and updating Apache and openssl to decent version will be at least discussed.

They are mentioned in the GPLWe have some security fixes in 4.2.28 beta: http://www.readynas.com/forum/viewtopic.php?f=51&t=70385Are the security fixes what you are wondering about?

I want to support TLS 1.2 and I have very outdated openssl.I want to support Forward Secrecy and for that I need never version of apache and ssl and finally I want to be able to turn off SSLCompression. That directive is working with apache 2.2.24 afair other sources saying 2.4.x.Anyway, are you aware of the versions in current latest RAIDiator?

It's 2.2.6 in RAIDiator 4.2.x, I think.The OS6 beta firmware has 2.2.29

I have some older version of RAIDiator and it is indeed 2.2.6 which is way too old. Why newer versions of apache aren't included? Latest version is 2.4.12.Now I wound't expect to have latest version with every RAIDiator update but apache 2.2.6 was realease in September 2007!Can we expect to see apache updated?

Apache and openssl version RAIDiator 4.2.27.

13 Replies

Replies have been turned off for this discussion

bbaraniec

Luminary

Apr 01, 2015

I am using a PKI certificate and if I remember correctly by the time of csr there was no option for SHA2.
At the moment my connection is encrypted using EAS_256_CBC with SHA1 and DHE_RSA as key exchange that's TLSv1. I have turned off all SSLs.
I want to fix that week spot:

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 256

The perfect choice would be
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL + TLSv1.2 but EECDH is not supported and I haven't tested AES256+EDH yet.

StephenB
Guru - Experienced User
Apr 01, 2015
You'd need to work with your cert authority on sha-256 hashing.

I believe your three weak spots on encryption are because of DH 1024 bits. Updating apache might be needed to shore that up.

Forum Discussion

Apache and openssl version RAIDiator 4.2.27.

13 Replies

Related Content

New - RS700S Firmware Version 1.0.9.16 Released

New - RBE970 / RBE971 Firmware Version 9.13.2.1 Released

New - RBE770 / RBE771 Firmware Version 10.5.20.7 Released

New - RBE770 / RBE771 Firmware Version 10.5.20.3 Released

New - RS280/RS300 Firmware Version 1.0.5.18 Released

NETGEAR Academy

ProSupport for Business