Encrypted with obsolete vs modern?

[Sheratan]

I just notice my site and xenforo in Chrome show this notification.

I read some article about that. It seems concerning about new encryption method, openssl version, and chiper suite. Too much to read for me

Anybody want to explain "what is that thing and how to fix that obsolete notification?"

 

[rdn]

You mean ssl icon notice?

 

[Sheratan]

 

[rdn]

openssl version, and chiper suite

 

[Liam W]

I'm pretty sure it's for when sites are using SHA1 as opposed to a newer encryption method.

You should ask your SSL issuer to reissue your cert with a better method...

Liam

 

[Fred.]

I was working on this today

In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

https://www.chromium.org/Home/chromi...-Cipher-Suites


At the moment I'm using this in Nginx

ssl_ciphers 'AES128+EECDH:AES128+EDH';

Note : You have to know that this doesn't support older browsers / OS anymore. So no more Windows XP

I also updated my CA certificate so it doesn't have SHA1 in it anymore.

Now I get

Your connection to "domain" is encrypted with modern cryptography.

 

[MattW]

This is the cipher suite I'm using:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

 

[TPerry]

@Liam is correct @Sheratan ... you need to have the SSL cert re-issued with higher than SHA1. Most of the providers (Comodo and RapidSSL) are now no longer signing their certs in SHA1 so just a simple re-issuance of the cert will take care of it. Use the same CSR you submitted originally.

 

[Fred.]

I noticed some issues with my setup.
It changes from modern cryptography to obsolete cryptography and back every now and then. Really weird...

 

[TPerry]

When I was using SSL on my TWD site (dropped it because I had a single domain SSL and now am doing all images and other resources from a static domain) this is what I used.

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

 

[eva2000]

I just notice my site and xenforo in Chrome show this notification.

I read some article about that. It seems concerning about new encryption method, openssl version, and chiper suite. Too much to read for me

Anybody want to explain "what is that thing and how to fix that obsolete notification?"

run your site through https://www.ssllabs.com/ssltest/index.html as Chrome is now sunsetting SHA1 signatures for TLS https://community.centminmod.com/threads/chrome-browser-39-sunsetting-sha-1-ssl-signatures.1283/

recommended ciphers https://wiki.mozilla.org/Security/Server_Side_TLS

 

[Floren]

In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305.

You are correct.

 

[rafass]

This is mine: (no issues)

 

[Sheratan]

What's wrong with CBC?

 

[Fred.]

@Floren Can I ask you which cipher suite you are using? I saw your site also has A+
I'm using MattW his cipher suite, but I only have an A on the ssl labs test and I'm trying to get a A+
I also have HSTS, but it looks like it's not good enough to get A+

 

[rdn]

@Floren Can I ask you which cipher suite you are using? I saw your site also has A+
I'm using MattW his cipher suite, but I only have an A on the ssl labs test and I'm trying to get a A+
I also have HSTS, but it looks like it's not good enough to get A+

I strongly recommend: https://wiki.mozilla.org/Security/Server_Side_TLS

 

[TPerry]

One problem I was running into... I still had users using Windows XP and the older versions of Internet Exploder.... and they wouldn't change. So I decided to use the cipher suite that would support them (now I don't have to worry about it as I went back to HTTP).

 

[Floren]

@Floren Can I ask you which cipher suite you are using?

I presume you are using Nginx? Feel free to ask the question on our support site, Software forums. Expect to be challenged with logic, we do not spoon-feed our members. Instead, we want them to learn and actually understand what they are doing. Then, they understand the true essence of cryptography ciphers and adjust them on the fly.

I strongly recommend: https://wiki.mozilla.org/Security/Server_Side_TLS

You strongly recommend that based on what? The posted structure is chaotic and they list a bunch of useless ciphers which only expose you to future cipher-attacks. My list of ciphers is exactly 43 characters long. Please explain to other members here why we use only 5 ciphers.
https://www.ssllabs.com/ssltest/analyze.html?d=axivo.com&hideResults=on

Also, explain to us why the ciphers used on Centminmod site are not recommended, even if they show better results:
https://www.ssllabs.com/ssltest/analyze.html?d=community.centminmod.com&hideResults=on

 

[rdn]

You strongly recommend that based on what?

Compatibility.

 

[Fred.]

I presume you are using Nginx? Feel free to ask the question on our support site, Software forums. Expect to be challenged with logic, we do not spoon-feed our members. Instead, we want them to learn and actually understand what they are doing. Then, they understand the true essence of cryptography ciphers and adjust them on the fly.

Yes, using Nginx 1.8 since a few days. But with directadmin, that makes things more complicated!
Well, I'm going to do that because I would like to learn more about it.
My problem is solved now, but I still like to improve my knowledge about cryptography ciphers and ssl because that's still kind of new to me. And it seems to be changing fast.
I was reading on Axivo before about the new ciphers in OpenSSL 1.0.2a, I still use a patched version of 1.0.1
I just do yum update openssl to update, but CentOS 7.1 doesn't have 1.0.2a available at the moment.
I'm not super technical, I can setup a server and manage it. Sometimes I need some time to find out what's wrong, but eventually I find the problem and I can fix it. But I'm not a pro. That's still far away