[Ach] Disabling anonymous ciphers
Axel Hübl
axel.huebl at web.de
Mon Jan 6 16:45:27 CET 2014
Hi Chrisitan,
Win XP is not supported due to missing "save" chiphers.
That is a little bit hidden in the documentation:
https://bettercrypto.org/static/applied-crypto-hardening.pdf#page.16
A nice redirect to an "explaination side" instead of a browser error
message would be nice ... does someone have an idea how to achieve
that, e.g. in apache?
Cheers,
Axel
On 06.01.2014 16:39, Christian Rishøj wrote:
>
> On 6 Jan 2014, at 15:23, Aaron Zauner <azet at azet.org> wrote:
>
>>>> This server supports anonymous (insecure) suites (see below
>>>> for details). Grade set to F.
>>
>> [...]
>>
>>> Did I screw up? If not, I think the guide could use either a
>>> correction or an explanation.
>>
>> Please use the configurations provided in the Paper on
>> bettercrypto.org
>
> Thanks, seeing a grade "A" from SSLLabs now.
>
> Actually, an old leftover configuration directive in a VirtualHost
> segment – and not the duraconf value – was probably to blame for
> the anonymous ciphers.
>
> On a related note, the handshake simulations as IE6/XP and IE8/XP
> are failing:
>
>> Protocol or cipher suite mismatch
>
> I should mention that I have not confirmed this using an actual IE
> 6 browser, and that SSLLabs puts this footnote on the result: "Only
> first connection attempt simulated. Browsers tend to retry with a
> lower protocol version."
>
> Is it known to be a non-issue?
>
> Thanks, Christian
>
>
>
> _______________________________________________ Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140106/4beae5db/attachment.bin>
More information about the Ach
mailing list