1 Topic by laitues (edited by laitues 12-11-2015 17:03:27)

Topic: [off-topic] svp-team.com HTTPS

Hey!

I just noticed you guys enabled HTTPS on SVP-Team.com, and I find it awesome ^^

I would like to give you some advice about configuration smile

According to SSLLabs.com, there still is a lot to do wink https://www.ssllabs.com/ssltest/analyze … p-team.com

To solve

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

don't use SSLv3
SSLProtocol All -SSLv2 -SSLv3

To solve

Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings.

read this topic: https://forum.startcom.org/viewtopic.ph … mp;t=15741.

To solve

This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.

use another cipher list, such as Mozilla's : https://wiki.mozilla.org/Security/Server_Side_TLS (note: use
SSLHonorCipherOrder on)

With that setup, you should get A grade on SSL Labs smile

Also, Letsencrypt will reach GA next week, meaning anyone will be able to issue certs for their websites big_smile
Hope it will help you ^^ Have a nice day!

Edit: You should also like https://cipherli.st/, it provides pre-made config segments to enable SSL in commonly-used software smile

Re: [off-topic] svp-team.com HTTPS

Yeah, thanks, will try wink

Re: [off-topic] svp-team.com HTTPS

For some reason I can't get rid of SHA-1 warning o_O
I'm totally sure that intermediate Class 2 cert in Apache configuration is a SHA2 one and since "svp-team.com" cert was issued 3 days ago it must be SHA2 too.
o_O

Re: [off-topic] svp-team.com HTTPS

Chainik wrote:

For some reason I can't get rid of SHA-1 warning o_O
I'm totally sure that intermediate Class 2 cert in Apache configuration is a SHA2 one and since "svp-team.com" cert was issued 3 days ago it must be SHA2 too.
o_O

I never used Startcom certs, I don't know why is it doing this sad