[Ach] Disabling anonymous ciphers

Axel Hübl axel.huebl at web.de
Mon Jan 6 16:45:27 CET 2014


Hi Chrisitan,

Win XP is not supported due to missing "save" chiphers.
That is a little bit hidden in the documentation:
  https://bettercrypto.org/static/applied-crypto-hardening.pdf#page.16

A nice redirect to an "explaination side" instead of a browser error
message would be nice ... does someone have an idea how to achieve
that, e.g. in apache?

Cheers,
Axel

On 06.01.2014 16:39, Christian Rishøj wrote:
> 
> On 6 Jan 2014, at 15:23, Aaron Zauner <azet at azet.org> wrote:
> 
>>>> This server supports anonymous (insecure) suites (see below
>>>> for details). Grade set to F.
>> 
>> [...]
>> 
>>> Did I screw up? If not, I think the guide could use either a 
>>> correction or an explanation.
>> 
>> Please use the configurations provided in the Paper on
>> bettercrypto.org
> 
> Thanks, seeing a grade "A" from SSLLabs now.
> 
> Actually, an old leftover configuration directive in a VirtualHost
> segment – and not the duraconf value – was probably to blame for
> the anonymous ciphers.
> 
> On a related note, the handshake simulations as IE6/XP and IE8/XP
> are failing:
> 
>> Protocol or cipher suite mismatch
> 
> I should mention that I have not confirmed this using an actual IE
> 6 browser, and that SSLLabs puts this footnote on the result: "Only
> first connection attempt simulated. Browsers tend to retry with a
> lower protocol version."
> 
> Is it known to be a non-issue?
> 
> Thanks, Christian
> 
> 
> 
> _______________________________________________ Ach mailing list 
> Ach at lists.cert.at 
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140106/4beae5db/attachment.bin>


More information about the Ach mailing list