I'm having to post this using Chrome because it appears that the allowed cipher list has changed on the forum this afternoon.
I'd kind of like to know which ones were removed, because Firefox won't let me connect to the forum since about 2pm Central (US) time. I have to use FF v.47 to support some add-ons Mozilla decided weren't good enough, but I've never seen a website toss up a SSL_ERROR_NO_CYPHER_OVERLAP error before now.
Forum cipher set has changed
Re: Forum cipher set has changed
We retired TLS 1.1 today and with it, some of the weaker cipher suites.
Edit: Looking at what 47 supports now.
Edit: Looking at what 47 supports now.
Re: Forum cipher set has changed
Should now be working.
Re: Forum cipher set has changed
Yes, it is.
Strange - I thought I had already locked out all the "weak" ciphers. We have a restricted set on our servers (no RC4) because one of our customers insists on it "for credit card compliance" (even though WE do not do CC's), and had not hit this.
What did you have to put back in?
Strange - I thought I had already locked out all the "weak" ciphers. We have a restricted set on our servers (no RC4) because one of our customers insists on it "for credit card compliance" (even though WE do not do CC's), and had not hit this.
What did you have to put back in?
Re: Forum cipher set has changed
Added in an AES128 variant of one of the exiting RSA ciphers. It's not ideal but still perfectly sufficient for what we do here.
Re: Forum cipher set has changed
Hmm... That increases the mystery, because FF47 has the same 128-bit algorithms listed for the latest Chrome...
https://cc.dcsec.uni-hannover.de/ shows what your current browser announces as supported. FF47 shows this:
Nowadays, everyone to want to eliminated anything that uses SHA1.
Strange that your server didn't offer the other SHA256 methods FF47 supports, like ECDHE-ECDSA-AES128-GCM-SHA256 or ECDHE-RSA-AES128-GCM-SHA256
https://cc.dcsec.uni-hannover.de/ shows what your current browser announces as supported. FF47 shows this:
Based on a comparison of FF47 and Chrome, it was probably RSA-AES128-SHA you added back in. The two RSA protocols that FF47 is missing are RSA-AES128-GCM-SHA256 and RSA-AES256-GCM-SHA384.ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
RSA-AES128-SHA
RSA-AES256-SHA
RSA-3DES-EDE-SHA
Nowadays, everyone to want to eliminated anything that uses SHA1.
Strange that your server didn't offer the other SHA256 methods FF47 supports, like ECDHE-ECDSA-AES128-GCM-SHA256 or ECDHE-RSA-AES128-GCM-SHA256
Re: Forum cipher set has changed
The version of OpenSSL + Server config define what it offers.
So, yes, ECDHE-RSA-AES128-GCM-SHA256 was added for backwards compatibility.
AES128 was removed completely in the last update, so no mystery that your older browser doesn't work with it.
So, yes, ECDHE-RSA-AES128-GCM-SHA256 was added for backwards compatibility.
AES128 was removed completely in the last update, so no mystery that your older browser doesn't work with it.
Re: Forum cipher set has changed
For what it is worth, AES128 is still considered "strong enough" for general use, it's the SHA1 part that is too weak.
Thanks for enabling the one cipher, anyway.
Thanks for enabling the one cipher, anyway.
Re: Forum cipher set has changed
Yup, Strong enough. Interestingly you get a lower SSL rating using AES128 than you do using an SHA1 cipher when you run the SSL checkers.
IT's last in order, so if the browser supports it, it'll always negotiate the best.
IT's last in order, so if the browser supports it, it'll always negotiate the best.