[Ach] Help - Question - help - applied-crypto-hardening.pdf
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Feb 5 22:56:03 CET 2015
On Thu 2015-02-05 15:38:59 -0500, Josh Sanders wrote:
> Thanks for making applied-crypto-hardening.pdf
> It is really Great!
>
> Could you please help me?
>
> I have a question:
>
> with reference to:
>
> https://bettercrypto.org/static/applied-crypto-hardening.pdf and
> https://bettercrypto.org/static/configuration/Webservers/Apache/default-ssl
>
> I have the same configuration as shown in Apache/default-ssl,
> but bettercrypto.org has this results at https://www.ssllabs.com/ssltest/
>
> bettercrypto.org - Overall rating: +A
> Certificate 100
> Protocol Support 95
> *Key Exchange 100*
> Cipher Strength 80
>
> my domain has - Overall rating: +A
> Certificate 100
> Protocol Support 95
> *Key Exchange 80 ????????*
> Cipher Strength 90
>
> Why Key Exchange is 100 % for bettercrypto.org and 80 % for my domain
> with the same configuration?
I don't think you've said what your domain is, so it's hard for anyone
here to tell what's going on.
I suspect the issue is that you are providing weak finite field
Diffie-Hellman (FFDHE) groups for the cipher suites that use FFDHE key
exchange, or that your server's TLS implementation doesn't support
elliptic curve Diffie-Hellman (ECDHE).
bettercrypto.org provides a ~4Kib group for the FFDHE ciphersuites, and
uses nginx as its webserver (according to the Server: headers emitted by
"wget -O/dev/null -S https://bettercrypto.org")
If you're using older versions of Apache, you may not be able to adjust
the FFDHE group size directly from the configuration.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150205/163d8093/attachment.sig>
More information about the Ach
mailing list