-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
virtual.wf's HTTPS configuration needs updating #370
Comments
@konklone thank you! You are quite thorough. 😄 How's this for a candidate for most-improved award? Heartbleed and other vulnerability mitigated, with new post-mitigation certificates signed with SHA-2. I moved the ciphers one step in the right direction, though they still use RC4 on IE 10 and older. I'm not aware that anything better can be done for them. Any ideas? We also now use the HSTS header so repeat visitors will not have to wait for the redirect, and I changed those references to Thank you again, your help is much appreciated. Any time you want to swing through our site and poke at it, feel free. 😄 |
I think I will go ahead and close this issue, and if you have any thoughts on the RC4 issue, we can make that a new issue. Thanks again. |
If you control the ciphersuites, I think you can do better - here's my cipher choices for konklone.com
That covers all the IEs, with a non-FS carveout for IE8+XP. It doesn't use RC4 anywhere. One other thing you can do to bump up the key exchange strength is pre-generate 2048-bit DH parameters, so it's the same size as your key. Your version of Apache is defaulting to 1024-bit parameters, which keeps your key strength score at 80, and is why it shows 1024-bit marks here: If you upgrade Apache, version 2.4 defaults DH params to match key-length -- or if you keep 2.2, you can run
My pleasure, thanks for being so responsive and putting the legwork in on this! |
I'm reopening this issue, so I don't forget to address your other points. ... and thanks for the medal. 😉 |
The server is currently vulnerable to Heartbleed, to an OpenSSL MITM vulnerability, and is using SHA-1-signed certificates.
The SSL Labs analysis lays out the issues:
This could also be a good time to tighten up the ciphers to favor forward secrecy, and to implement the HSTS header, so that browsers skip over the
http://
URL entirely and don't wait for the redirect.On that (side) note, the project uses an http:// URL in a couple places:
The text was updated successfully, but these errors were encountered: