Re: Help disabling weak ciphers.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think I figured it out.   I think I just had to scroll down a bit in Qualy's SSL Lab.   I see a list of browsers and with TLSv1.0 and TLSv1.1 disabled, I now see: Server sent fatal alert: protocol_version

I believe they're the ones that don't support the protocols that I've disabled.

I think I'll try with TLSv1.0 disabled and maybe TLSv1.1 and TLSv1.2 enabled.   That way I can be PCI compliant.   Now I have to figure out what this SNI is and whether I want it enabled or not.

Thanks for all the help!!

On Sat, Jul 16, 2016 at 6:06 PM, Spork Schivago <sporkschivago@xxxxxxxxx> wrote:
I made the required changes but don't get the A+ rating, still A.   Forward Secrecy is enabled, which is good.   I don't actually see scores for the bar graph but I do see certain ones don't go to the 100%.   One was the Protocol Support.   However, if I disable TLSv1 and TLSv1.1, then Protocol Support goes to 100%.

I'm wondering what clients wouldn't be able to connect if I disable TLSv1.0 and TLSv1.1.   I'd imagine if a client supports TLSv1.1, it probably supports TLSv1.2.   Is there a list or any website that can test my website to see what browsers / OS's won't be able to connect?   I'm okay with dropping TLSv1.0 and TLSv1.1 support if it means people using XP won't be able to connect but 99% of the internet users out there will be able.    But if dropping support for TLSv1.0 and TLSv1.1 means only 10% of the users will be able to connect, I'd like to not drop it.  Any suggestions from anyone?

Thanks!

On Sat, Jul 16, 2016 at 3:59 PM, Spork Schivago <sporkschivago@xxxxxxxxx> wrote:
Wow, thank you Dr. James Smith!   I am going to try your cipher list and see if I can get the A+ rating.   That's exactly what I'm after.   Are there any other drawbacks besides losing support for Java 6 and IE 6 clients?   I originally started writing my website to be IE 6 compatible but after learning a good bit, I've decided that was a horrible idea.   Even if users are still using XP, I believe they can at least install IE 8, however, people who are still running Windows XP should highly consider upgrading if they're getting on the internet, I'd think.

Thank you!!!

Ken

On Sat, Jul 16, 2016 at 2:44 AM, Dr James Smith <js5@xxxxxxxxxxxx> wrote:
I use:

  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

as the setting for ciphers - this gets a A+ rating on the qualys SSL labs scoring (although Java 6 + IE 6 clients don't work but that is the compromise you need to take)

James


On 15/07/2016 22:49, Spork Schivago wrote:
Hello,

I think I figured it out.  I removed the DES-CBC3-SHA line from the SSL Cipher Suite list and now this is the output from nmap:

| Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-07-13T03:49:00
| Not valid after:  2016-10-11T03:49:00
| MD5:   e2dd d74b 6978 0d0e 9a7c 0aec c5ed baee
|_SHA-1: 4eef ac38 a8fe 99aa 816b 005a 9849 c674 cd39 98d6
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds


With the least strength being A, that's exactly what I want, right?   That would mean the ciphers are very strong ones? I'm still trying to learn all of this and now I gotta figure out how to enable "Perfect" Forward Secrecy.   Thanks!



--
The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux