1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Encrypted with obsolete vs modern?

Discussion in 'Server Configuration and Hosting' started by Sheratan, Apr 30, 2015.

  1. Sheratan

    Sheratan Well-Known Member

    I just notice my site and xenforo in Chrome show this notification.

    I read some article about that. It seems concerning about new encryption method, openssl version, and chiper suite. Too much to read for me :confused:

    Anybody want to explain "what is that thing and how to fix that obsolete notification?"
     
  2. RoldanLT

    RoldanLT Well-Known Member

    You mean ssl icon notice?
     
  3. Sheratan

    Sheratan Well-Known Member

  4. RoldanLT

    RoldanLT Well-Known Member

    (y)
     
  5. Liam W

    Liam W Well-Known Member

    I'm pretty sure it's for when sites are using SHA1 as opposed to a newer encryption method.

    You should ask your SSL issuer to reissue your cert with a better method...

    Liam
     
  6. Fred.

    Fred. Well-Known Member

    I was working on this today :)

    In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

    https://www.chromium.org/Home/chromi...-Cipher-Suites


    At the moment I'm using this in Nginx

    Code:
    ssl_ciphers 'AES128+EECDH:AES128+EDH';
    Note : You have to know that this doesn't support older browsers / OS anymore. So no more Windows XP

    I also updated my CA certificate so it doesn't have SHA1 in it anymore.

    Now I get
    (y)
     
    MattW likes this.
  7. MattW

    MattW Well-Known Member

    This is the cipher suite I'm using:
    Code:
    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
     
    Fred. likes this.
  8. Tracy Perry

    Tracy Perry Well-Known Member

    @Liam is correct @Sheratan ... you need to have the SSL cert re-issued with higher than SHA1. Most of the providers (Comodo and RapidSSL) are now no longer signing their certs in SHA1 so just a simple re-issuance of the cert will take care of it. Use the same CSR you submitted originally.
     
  9. Fred.

    Fred. Well-Known Member

    I noticed some issues with my setup.
    It changes from modern cryptography to obsolete cryptography and back every now and then. Really weird... o_O :confused:
     
  10. Tracy Perry

    Tracy Perry Well-Known Member

    When I was using SSL on my TWD site (dropped it because I had a single domain SSL and now am doing all images and other resources from a static domain) this is what I used.

    Code:
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
     
  11. eva2000

    eva2000 Well-Known Member

    run your site through https://www.ssllabs.com/ssltest/index.html as Chrome is now sunsetting SHA1 signatures for TLS https://community.centminmod.com/threads/chrome-browser-39-sunsetting-sha-1-ssl-signatures.1283/

    recommended ciphers https://wiki.mozilla.org/Security/Server_Side_TLS
     
    SneakyDave likes this.
  12. Floren

    Floren Well-Known Member

    You are correct.

    axivo.png google.png
     
    Fred. likes this.
  13. rafass

    rafass Well-Known Member

    This is mine: (no issues)
    R 2015-05-07 at 13.54.26.jpg
     
  14. Sheratan

    Sheratan Well-Known Member

    What's wrong with CBC?
     
  15. Fred.

    Fred. Well-Known Member

    @Floren Can I ask you which cipher suite you are using? I saw your site also has A+
    I'm using MattW his cipher suite, but I only have an A on the ssl labs test and I'm trying to get a A+ :D
    I also have HSTS, but it looks like it's not good enough to get A+
     
  16. RoldanLT

    RoldanLT Well-Known Member

    I strongly recommend: https://wiki.mozilla.org/Security/Server_Side_TLS
     
    Fred. likes this.
  17. Tracy Perry

    Tracy Perry Well-Known Member

    One problem I was running into... I still had users using Windows XP and the older versions of Internet Exploder.... and they wouldn't change. So I decided to use the cipher suite that would support them (now I don't have to worry about it as I went back to HTTP).
     
  18. Floren

    Floren Well-Known Member

    I presume you are using Nginx? Feel free to ask the question on our support site, Software forums. Expect to be challenged with logic, we do not spoon-feed our members. Instead, we want them to learn and actually understand what they are doing. Then, they understand the true essence of cryptography ciphers and adjust them on the fly.
    You strongly recommend that based on what? The posted structure is chaotic and they list a bunch of useless ciphers which only expose you to future cipher-attacks. My list of ciphers is exactly 43 characters long. Please explain to other members here why we use only 5 ciphers.
    https://www.ssllabs.com/ssltest/analyze.html?d=axivo.com&hideResults=on

    Also, explain to us why the ciphers used on Centminmod site are not recommended, even if they show better results:
    https://www.ssllabs.com/ssltest/analyze.html?d=community.centminmod.com&hideResults=on
     
    Last edited: May 8, 2015
  19. RoldanLT

    RoldanLT Well-Known Member

    Compatibility.
     
  20. Fred.

    Fred. Well-Known Member

    Yes, using Nginx 1.8 since a few days. But with directadmin, that makes things more complicated!
    Well, I'm going to do that because I would like to learn more about it.
    My problem is solved now, but I still like to improve my knowledge about cryptography ciphers and ssl because that's still kind of new to me. And it seems to be changing fast.
    I was reading on Axivo before about the new ciphers in OpenSSL 1.0.2a, I still use a patched version of 1.0.1
    I just do yum update openssl to update, but CentOS 7.1 doesn't have 1.0.2a available at the moment.
    I'm not super technical, I can setup a server and manage it. Sometimes I need some time to find out what's wrong, but eventually I find the problem and I can fix it. But I'm not a pro. That's still far away :p
     

Share This Page