Due to a bug in mod_ssl, the ability to remove TLS 1.0 (and only support TLS 1.1 and/or TLS 1.2) has not been available. The fix has now made it to CentOS 6 and you can now fine-tune your cryptographic protocols with ease.
Before the fix my /etc/httpd/conf.d/ssl.conf file had this line:
SSLProtocol all -SSLv2 -SSLv3
This allows all SSL protocols except SSLv2 and SSLv3 to be used with httpd. This isn’t a bad solution but there are a couple of sites that I’d prefer to further lock down by removing TLS 1.0 and TLS
1.2 1.1. With the fix now in mod_ssl my settings can now look like this:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
…and I’ll only support TLS 1.2 and beyond. Of course doing this will significantly reduce the number of clients that can connect to my server. According to SSLLabs I’m blocking all IE users before IE 11, Android before 4.4.2, Java 7, and Firefox 24.2.0 ESR. But luckily I really don’t have a problem with any of these browsers for a couple of things I do so I’ll likely tighten up security there and leave my more public sites alone.
NSS and mod_nss for httpd wasn’t discussed because it’s not in use on my systems. it should be noted that mod_nss can be similarly configured as mod_ssl however mod_nss does not support TLS 1.2 and you’ll max out at TLS 1.1.
I was surprised at the difference three and a half megahertz made this evening. While chatting with my friend Emily, N1DID, we started trying different bands to check for a better signal. Fifteen meters was okay but twelve was better. We decided to try ten meters for the heck of it and the almost full-quieting signal of Emily’s was not heard at all just three and a half megahertz up the band. Somewhere in that little bit of bandwidth the signal, instead of being returned to Earth via the ionosphere, was being shot into space with little hope that Emily would hear it. I guess we found our maximum usable frequency!
My friend Hubert has been doing a lot of work to make better the world a little safer. Glad he’s getting some recognition. Here’s a great article on testing your server for proper SSL/TLS configurations.
Yesterday I was tuning around 20 meters and heard packet! Wow, it’s been years since I’ve used packet (outside of APRS which is a different animal when compared to this). Turns out I stumbled onto the Net105 frequency with all of their users. It’s quite busy there and I’ve seen stations from Florida and Colorado and everywhere in between.
I still enjoy packet radio and even worked two stations, keyboard to keyboard, this morning. I may try to put up something more permanent up for the network. If I can find a KAM+ I should be able to hook an HF radio and a VHF/UHF radio together and provide a gateway for myself and anyone else that wants to join in.
We’ll see what happens in the future.
As I mentioned a few weeks ago, I bought a UHF repeater and put it on the air at the Mt. Hope tower site here in Calvert County. This was a temporary test which allowed myself and other CARA club members (and anyone else) to see what UHF would do in our area. Turns out, the system did quite well.
We estimated ~3 watts was being seen at the antenna. That’s not a lot of power and we weren’t expecting very good performance. Turns out, that ~3 watts was enough to give us pretty good coverage, about a 15 to 20 mile radius with several longer distances seen.
We have now replaced the repeater with a Yaesu repeater and better duplexers. We’re now seeing about 45 watts ERP and a better foot print (around 35 mile radius).
This has been a good experiment. I’ll be moving on to stage two for my repeater project.