Advanced search

Message boards : Server and website : SSL certificate rating (C)

Author Message
Customminer
Send message
Joined: 22 Feb 14
Posts: 1
Credit: 170,575
RAC: 0
Level

Scientific publications
wat
Message 43265 - Posted: 27 Apr 2016 | 22:12:00 UTC

Hey,

I checked SSL support for all BOINC projects yesterday in the following thread:
https://boinc.berkeley.edu/dev/forum_thread.php?id=10973

The users in the thread suggested reaching out to all affected projects, so here I am!

GPUGRID only has a 'C' ranking according to ssllabs: https://www.ssllabs.com/ssltest/analyze.html?d=www.gpugrid.net

Would it be possible to reconfigure your SSL certificate/settings to be better than C?

Thanks

[CSF] Aleksey Belkov
Avatar
Send message
Joined: 26 Dec 13
Posts: 85
Credit: 1,215,531,270
RAC: 149,751
Level
Met
Scientific publications
watwatwatwatwatwatwatwatwatwatwatwatwatwat
Message 43327 - Posted: 9 May 2016 | 0:30:50 UTC - in response to Message 43265.
Last modified: 9 May 2016 | 0:33:11 UTC

1) This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

Apache 2.2 does not at present allow the length of the DHE ephemeral keys to be configured; they are fixed at 1024 bits. (Apache prior to v 2.4.7 relies on OpenSSL for the DH input parameters, which defaults to 1024 bits.) Until this becomes configurable, there are arguments to disable DHE altogether.

DHE ephemeral keys should be of at least the same length as the authentication key length if X.509 certificates are used for authentication. Having a 1024-bit DHE key length while using 2048-bit RSA certificates reduces TLS security.
The majority of modern browsers support ECDHE.

!EDH should be added to ciphersuit config section(SSLCipherSuite) to disable weak DHE key exchange

2) The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.

TLS 1.1 and TLS 1.2 must be enabled to resolve this issue.
It is important to check current version of openssl. It must be 1.0.1 or 1.0.2.
It is highly desirable to update openssl to latest 1.0.1t or 1.0.2h too!

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3 should be configured

3) The server does not support Forward Secrecy with the reference browsers.
If previous issue will be solved, it will be possible to use ECDHE which much faster than tradition DHE and this issue will be resolved too.

If all 3 issues will be solved, site will receive A + rating.

Post to thread

Message boards : Server and website : SSL certificate rating (C)

//