Jump to content

SSL Ciphers

Featured Replies

Posted

Hi,

I added this to nginx:

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';

ssl_prefer_server_ciphers on;

 

And in my site, Chrome reports AES_128_GCM and ECDHE_RSA, just like in this site.

The issue is that ssllabs gives this site an A score, and my site gets a B score, apparently because the directive above has some weak ciphers.

Well, they say this: "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B."

Any help to fix that?

Edited by -FP

Don't have nginx but you may be able to disable DH. There is some useful info here https://cipherli.st/

  • Author

Woot @Ausy thanks.

EK0OuQX.jpg

Now I only need to figure out what's the thing in the blue box.

Don't worry about it, all current browsers/mobile can handle SNI (older browsers will have trouble with IPS anyway). It means your hosts is serving different SSL certs on the same IP. That wasn't possible until SNI came along.

For example I have autoitscript.com and autoitconsulting.com on the same IP with two different SSL certs. That uses SNI to work. Otherwise I would have to have two IP addresses and each site bound to a different IP.

Edited by AutoItScript

The notification about SNI is just an FYI, browsers that aren't capable of handling it are IE6  / Windows XP era and aren't people whom you can realistically support.  In most cases they won't even be able to use most of the ciphers available now days

I've install startssl in a cloudlinux server (server.it). and I don't have buy ssl cert. nor static ip. but cause of it also my domain don't have sni. so, xp user with iexplorer (or other user with old android mobile ecc) cannot access in my website.

I hope isn't a large percentage :p

Archived

This topic is now archived and is closed to further replies.

Recently Browsing 0

  • No registered users viewing this page.