Bug #2082
Ostel's SSL config is not so hot
| Status: | Feedback | Start date: | 10/15/2013 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | 10/18/2013 | |
| Assignee: | lee | % Done: | 0% | |
| Category: | - | Spent time: | - | |
| Target version: | - | |||
| Component: |
Description
Please review the issues on this site: https://www.ssllabs.com/ssltest/analyze.html?d=ostel.co
and resolve.
History
#1 Updated by lee over 4 years ago
- Priority changed from High to Normal
I went over some threat modeling on IRC and it looks like the consequences of this static analysis is not critical, though a "nice to have".
#2 Updated by lee over 4 years ago
Removing SSLv2 (thus isolating us from the hordes of IE 6 users) seems to make the pretty charts more green
Followed this reference
http://wiki.nginx.org/HttpSslModule#ssl_ciphers
I have no idea what the 40/100 score for Key Exchange means and the document doesn't reference the criteria for scoring. It's just like getting a free credit score from Equifax!
#3 Updated by lee over 4 years ago
- Status changed from New to Feedback
Alright, I got that random test site to give ostel.co an A. This officially removes all support for secure connections with IE6.
#4 Updated by DrWhax about 4 years ago
I use the following config:
listen 443 ssl ;
server_name ostel.nl;
add_header "Strict-Transport-Security" "max-age=86400";
ssl on;
ssl_certificate /lulz/server.crt;
ssl_certificate_key /lulz/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; # do this to disable SSLv2
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
EECDH EDH+aRSA 
EECDH+aRSA+RC4 
eNULL 
3DES 
EXP 
SRP !DSS";
ssl_prefer_server_ciphers on;