Say what!? SSL is secure, is there more to securing it? Yes.
Over the years, the "SSL" protocol became better and the old ciphers used with them got weaker - it's now easier to decipher and hack into. So, for your web server, what can you do to ensure that the older protocols and ciphers aren't used? Simple. You can configure the web server to accept only the STRONG ciphers and secure protocols. Here's how to configure that for lighttpd, nginx and apache:
lighttpd:
ssl.use-sslv2 = "disable"
ssl.cipher-list = "HIGH:MEDIUM:!ADH"
nginx:
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:MEDIUM:!ADH;
ssl_prefer_server_ciphers on;
apache:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
There's also a nice little script (specifically the ssl-cipher-check.pl
script) out there that can assist with determine the SSL protocol and ciphers being used on a remote server. Here is the sample output:
Testing entic.net:443
TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits
Total Ciphers Enabled: 10
What is the downside to this? Well, we're essentially telling the web server to accept only the strong ciphers, denying anything lower. If a browser out there in some distant country requests a SSL connection over a 64bit cipher, our web site would not load.
So, please weigh the risks and benefits before enabling these configurations.
... but it'll be more like 2010.05. We've wondered what the delay has been and has caused us quite a bit of stress. The X change log clearly now shows build 134a, the predecessor to OpenSolaris 2010.03. It was updated April 24th.
Several have noted the pending bugs in OpenSolaris 2010.03 as being the cause for delay. That's possible but one other reason is also perhaps Oracle is wanting to remove some software that they no longer want, for example, the Xvm which Oracle wants to replace with Oracle VM.
Interesting little thread about the Sun/Oracle version of OpenSolaris distribution.
Let's hope this gets the momentum it needs to reach a final conclusion about the big silence from Oracle regarding OpenSolaris.
Quite a lot of people goto bed with their iPhone. It's nice and small and tucks away under the pillow. It's there to wake us up, and it's there telling us what to eat and when and where. It's there during our commute hours. It's there during our best friend's wedding, taking photos and recording moments.
So, what do we need the iPad for?
Will we see iPad replace vehicle navigation systems, and put tomtom out of business? Will it slowly start creeping into the traditional PC market share? Will it replace digital picture frames? Will the police use it to give us tickets on the road? Will the doctor's use it for reference?
YES! iPad is not just any device, oh, and yes, you can't be in the bed and use a laptop but you can with an iPad. iPhone started the fundamental shift in computing and iPad we believe will continue to shape the market and our imaginations - in the App store.
What do you guys think? What other real world applications will the iPad replace?
We had several web sites hosted by lighttpd on a single server. We wanted to make on-line backups of them, something we've procrastinated a long time! Once you see how simple it is to make online backups of your data with our OpenSolaris VPS ZFS file system, we hope you won't follow the same path as us and spend some minor time now to save some trouble later.
We wanted to make backup of all the data in /var/lighttpd, where all of our actual web site data lives. Here's what we did.
root@mask:/# zfs create zones/mask/ROOT/lighttpd
root@mask:/# zfs get mountpoint zones/mask/ROOT/lighttpd
NAME PROPERTY VALUE SOURCE
zones/mask/ROOT/lighttpd mountpoint legacy inherited from zones/mask/ROOT
root@mask:/#
Now disable lighttpd, move the data, and create new ZFS snapshot.
root@mask:/# svcadm disable lighttpd14
root@mask:/# mv /var/lighttpd /var/lighttpd.old
root@mask:/# zfs set mountpoint=/var/lighttpd zones/mask/ROOT/lighttpd
root@mask:/# cd /var
root@mask:/var# mv lighttpd.old/* lighttpd
root@mask:/var# zfs snapshot zones/mask/ROOT/lighttpd@backup
root@mask:/var# zfs list -t snapshot
NAME USED AVAIL REFER MOUNTPOINT
zones/mask/ROOT/lighttpd@backup 0 - 411M -
zones/mask/ROOT/zbe@backup 143M - 1.12G -
root@mask:/var#
That's it! What just happened?
We took a snapshot of the full file system as it was when we ran that zfs snapshot command. This is a real file system backup, which can be used to restore to if there is ever a need.
Of course, this is just the beginning. You can destroy snapshots and use these snapshots to make offline backups. More on these topics later, or better yet, give them a shot yourself. There are lots of resources on Google.
Want to learn more? Why not purchase our OpenSolaris VPS servers from Entic.net, powered by ZFS? We're sure you'll love it. It'll simplify your life, and you might even like it more than Linux!