-FP Posted September 28, 2015 Share Posted September 28, 2015 Hi, I added this to nginx: ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; And in my site, Chrome reports AES_128_GCM and ECDHE_RSA, just like in this site. The issue is that ssllabs gives this site an A score, and my site gets a B score, apparently because the directive above has some weak ciphers. Well, they say this: "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." Any help to fix that? Link to comment Share on other sites More sharing options...
Ausy Posted September 28, 2015 Share Posted September 28, 2015 Don't have nginx but you may be able to disable DH. There is some useful info here https://cipherli.st/ Link to comment Share on other sites More sharing options...
-FP Posted September 28, 2015 Author Share Posted September 28, 2015 Woot @Ausy thanks. Now I only need to figure out what's the thing in the blue box. Link to comment Share on other sites More sharing options...
AutoItScript Posted September 28, 2015 Share Posted September 28, 2015 Don't worry about it, all current browsers/mobile can handle SNI (older browsers will have trouble with IPS anyway). It means your hosts is serving different SSL certs on the same IP. That wasn't possible until SNI came along. For example I have autoitscript.com and autoitconsulting.com on the same IP with two different SSL certs. That uses SNI to work. Otherwise I would have to have two IP addresses and each site bound to a different IP. Link to comment Share on other sites More sharing options...
Robulosity2 Posted September 28, 2015 Share Posted September 28, 2015 The notification about SNI is just an FYI, browsers that aren't capable of handling it are IE6 / Windows XP era and aren't people whom you can realistically support. In most cases they won't even be able to use most of the ciphers available now days Link to comment Share on other sites More sharing options...
ipbfuck Posted October 1, 2015 Share Posted October 1, 2015 I've install startssl in a cloudlinux server (server.it). and I don't have buy ssl cert. nor static ip. but cause of it also my domain don't have sni. so, xp user with iexplorer (or other user with old android mobile ecc) cannot access in my website. I hope isn't a large percentage Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.