[Ach] Help - Question - help - applied-crypto-hardening.pdf - . - -

Josh Sanders facil77 at gmail.com
Fri Feb 6 01:21:52 CET 2015 

Hello Daniels,

Thank you very much for your reply,

Those are the outputs

Any idea"

https://www.ssllabs.com/ssltest/analyze.html?d=mipymesenlinea.com&latest

root at server:~#
root at server:~# wget -O/dev/null -S https://mipymesenlinea.com
--2015-02-05 19:03:29--  https://mipymesenlinea.com/
Resolving mipymesenlinea.com (mipymesenlinea.com)... 198.144.155.25
Connecting to mipymesenlinea.com (mipymesenlinea.com)|198.144.155.25|:443...
con
nected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 06 Feb 2015 00:03:29 GMT
  Server: Apache/2.2.22 (Debian)
  Strict-Transport-Security: max-age=15768000 ; includeSubDomains
  Last-Modified: Wed, 04 Feb 2015 01:55:01 GMT
  ETag: "bfaa7-70-50e3979b56adc"
  Accept-Ranges: bytes
  Content-Length: 112
  Vary: Accept-Encoding
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html
Length: 112 [text/html]
Saving to: `/dev/null'

100%[======================================>] 112         --.-K/s   in 0s

2015-02-05 19:03:29 (3.07 MB/s) - `/dev/null' saved [112/112]

root at server:~#

root at server:~# wget -O/dev/null -S https://bettercrypto.org
--2015-02-05 19:02:14--  https://bettercrypto.org/
Resolving bettercrypto.org (bettercrypto.org)... 78.41.116.68
Connecting to bettercrypto.org (bettercrypto.org)|78.41.116.68|:443...
connected
.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Server: nginx/1.6.2
  Date: Fri, 06 Feb 2015 00:01:03 GMT
  Content-Type: text/html
  Content-Length: 9623
  Last-Modified: Fri, 30 Jan 2015 02:07:32 GMT
  Connection: keep-alive
  Vary: Accept-Encoding
  ETag: "54cae764-2597"
  Strict-Transport-Security: max-age=31104000
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
  Accept-Ranges: bytes
Length: 9623 (9.4K) [text/html]
Saving to: `/dev/null'

100%[======================================>] 9,623       --.-K/s   in 0s

2015-02-05 19:02:16 (534 MB/s) - `/dev/null' saved [9623/9623]


On Thu, Feb 5, 2015 at 3:56 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:

> On Thu 2015-02-05 15:38:59 -0500, Josh Sanders wrote:
>
> > Thanks for making applied-crypto-hardening.pdf
> > It is really Great!
> >
> > Could you please help me?
> >
> > I have a question:
> >
> > with reference to:
> >
> > https://bettercrypto.org/static/applied-crypto-hardening.pdf and
> >
> https://bettercrypto.org/static/configuration/Webservers/Apache/default-ssl
> >
> > I have the same configuration as shown in Apache/default-ssl,
> > but bettercrypto.org has this results at
> https://www.ssllabs.com/ssltest/
> >
> > bettercrypto.org - Overall rating: +A
> > Certificate 100
> > Protocol Support 95
> > *Key Exchange 100*
> > Cipher Strength 80
> >
> > my domain has - Overall rating: +A
> > Certificate 100
> > Protocol Support 95
> > *Key Exchange 80 ????????*
> > Cipher Strength 90
> >
> > Why Key Exchange is 100 % for bettercrypto.org and 80 % for my domain
> > with the same configuration?
>
> I don't think you've said what your domain is, so it's hard for anyone
> here to tell what's going on.
>
> I suspect the issue is that you are providing weak finite field
> Diffie-Hellman (FFDHE) groups for the cipher suites that use FFDHE key
> exchange, or that your server's TLS implementation doesn't support
> elliptic curve Diffie-Hellman (ECDHE).
>
> bettercrypto.org provides a ~4Kib group for the FFDHE ciphersuites, and
> uses nginx as its webserver (according to the Server: headers emitted by
> "wget -O/dev/null -S https://bettercrypto.org")
>
> If you're using older versions of Apache, you may not be able to adjust
> the FFDHE group size directly from the configuration.
>
>     --dkg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20150205/e669a581/attachment.html>

More information about the Ach mailing list