Hacker News new | ask | show | jobs
by danimo 4439 days ago
Yes, that's the exact problem that made me write this. What's particularly amazing is the amount of magical cipher suite strings shared throughout the web, most of which do not take in account PFS, or still prioritize RC4. All of that was acceptable at some point in time. Other cipher lists just don't make any sense at all, e.g. first removing a cipher (-RC4), then killing it (!RC4), all in one string with no benefit at all.
3 comments
tombrossman 4439 days ago
Thanks for writing this post, I've bookmarked it for reading later as it has plenty of links and I can see I have a lot more reading to do.

If you edit or update your post, I hope you will Mozilla's excellent "Security/Server Side TLS" page at https://wiki.mozilla.org/Security/Server_Side_TLS. This helped me get up to speed quickly and provided clear examples.

As proof of how good the Mozilla docs are, I tested my personal website using the Qualys test you mention and received an A+ rating!

This beat the A- rating for your site (though I freely admit I'm a total noob in this area - I'm copy/pasting and don't understand much about SSL). I guess this reinforces your point that good documentation is critical, and I hope more people find it at the Mozilla site.

https://www.ssllabs.com/ssltest/analyze.html?d=tombrossman.c...

https://www.ssllabs.com/ssltest/analyze.html?d=daniel.molken...

link
jvehent 4439 days ago
Author of the Mozilla's Server Side TLS here. Glad that you found it helpful. Anything else that you think we should add to it?
link
danimo 4439 days ago
Second-to-best solutions with older Distributions (Ubuntu 12.04, Debian 7, RHEL 6).
link
danimo 4439 days ago
That's an excellent reference with good explanations. I'll add it to the list to get away from the strong Ivan bias :-). The reason why I had A- only is that my openssl (Debian) doesn't seem provide all the ciphers required.
link
puetzk 4437 days ago
It's probably your apache, actually; 2.2 can't do ECDHE, even though the openssl in Debian 7 can.

Sadly, this means IE doesn't get forward secrecy, because it can't do do DHE with RSA keys, only DSS.

link
jvehent 4439 days ago
Yet Another Test Script: https://github.com/jvehent/cipherscan It uses openssl to find out the cipher priorities, PFS keys and a few others things from a target site. I wrote it because, while I love SSLLabs and Ivan's work in general, I find it too slow to scan a setup I'm working on many times. And I like doing stuff in the terminal.
link
jnsaff2 4439 days ago
A very nice python script to check your server configuration: https://github.com/iSECPartners/sslyze
link
danimo 4439 days ago
Thanks, added!
link