<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr"><div><div><div>Hello Daniels,<br><br></div>Thank you very much for your reply,<br><br></div>Those are the outputs<br><br></div>Any idea"<br><div><br><a href="https://www.ssllabs.com/ssltest/analyze.html?d=mipymesenlinea.com&latest" target="_blank">https://www.ssllabs.com/ssltest/analyze.html?d=mipymesenlinea.com&latest</a><br><br>root@server:~#<br>root@server:~# wget -O/dev/null -S <a href="https://mipymesenlinea.com" target="_blank">https://mipymesenlinea.com</a><br>--2015-02-05 19:03:29-- <a href="https://mipymesenlinea.com/" target="_blank">https://mipymesenlinea.com/</a><br>Resolving <a href="http://mipymesenlinea.com" target="_blank">mipymesenlinea.com</a> (<a href="http://mipymesenlinea.com" target="_blank">mipymesenlinea.com</a>)... 198.144.155.25<br>Connecting to <a href="http://mipymesenlinea.com" target="_blank">mipymesenlinea.com</a> (<a href="http://mipymesenlinea.com" target="_blank">mipymesenlinea.com</a>)|198.144.155.25|:443... con<br>nected.<br>HTTP request sent, awaiting response...<br> HTTP/1.1 200 OK<br> Date: Fri, 06 Feb 2015 00:03:29 GMT<br> Server: Apache/2.2.22 (Debian)<br> Strict-Transport-Security: max-age=15768000 ; includeSubDomains<br> Last-Modified: Wed, 04 Feb 2015 01:55:01 GMT<br> ETag: "bfaa7-70-50e3979b56adc"<br> Accept-Ranges: bytes<br> Content-Length: 112<br> Vary: Accept-Encoding<br> Keep-Alive: timeout=5, max=100<br> Connection: Keep-Alive<br> Content-Type: text/html<br>Length: 112 [text/html]<br>Saving to: `/dev/null'<br><br>100%[======================================>] 112 --.-K/s in 0s<br><br>2015-02-05 19:03:29 (3.07 MB/s) - `/dev/null' saved [112/112]<br><br>root@server:~#<br><br>root@server:~# wget -O/dev/null -S <a href="https://bettercrypto.org" target="_blank">https://bettercrypto.org</a><br>--2015-02-05 19:02:14-- <a href="https://bettercrypto.org/" target="_blank">https://bettercrypto.org/</a><br>Resolving <a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a> (<a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a>)... 78.41.116.68<br>Connecting to <a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a> (<a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a>)|78.41.116.68|:443... connected<br>.<br>HTTP request sent, awaiting response...<br> HTTP/1.1 200 OK<br> Server: nginx/1.6.2<br> Date: Fri, 06 Feb 2015 00:01:03 GMT<br> Content-Type: text/html<br> Content-Length: 9623<br> Last-Modified: Fri, 30 Jan 2015 02:07:32 GMT<br> Connection: keep-alive<br> Vary: Accept-Encoding<br> ETag: "54cae764-2597"<br> Strict-Transport-Security: max-age=31104000<br> X-Frame-Options: DENY<br> X-Content-Type-Options: nosniff<br> X-XSS-Protection: 1; mode=block<br> Accept-Ranges: bytes<br>Length: 9623 (9.4K) [text/html]<br>Saving to: `/dev/null'<br><br>100%[======================================>] 9,623 --.-K/s in 0s<br><br>2015-02-05 19:02:16 (534 MB/s) - `/dev/null' saved [9623/9623]<br><br><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 5, 2015 at 3:56 PM, Daniel Kahn Gillmor <span dir="ltr"><<a href="mailto:dkg@fifthhorseman.net" target="_blank">dkg@fifthhorseman.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On Thu 2015-02-05 15:38:59 -0500, Josh Sanders wrote:<br>
<br>
> Thanks for making applied-crypto-hardening.pdf<br>
> It is really Great!<br>
><br>
> Could you please help me?<br>
><br>
> I have a question:<br>
><br>
> with reference to:<br>
><br>
> <a href="https://bettercrypto.org/static/applied-crypto-hardening.pdf" target="_blank">https://bettercrypto.org/static/applied-crypto-hardening.pdf</a> and<br>
> <a href="https://bettercrypto.org/static/configuration/Webservers/Apache/default-ssl" target="_blank">https://bettercrypto.org/static/configuration/Webservers/Apache/default-ssl</a><br>
><br>
> I have the same configuration as shown in Apache/default-ssl,<br>
> but <a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a> has this results at <a href="https://www.ssllabs.com/ssltest/" target="_blank">https://www.ssllabs.com/ssltest/</a><br>
><br>
> <a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a> - Overall rating: +A<br>
> Certificate 100<br>
> Protocol Support 95<br>
</span>> *Key Exchange 100*<br>
<span>> Cipher Strength 80<br>
><br>
> my domain has - Overall rating: +A<br>
> Certificate 100<br>
> Protocol Support 95<br>
</span>> *Key Exchange 80 ????????*<br>
<span>> Cipher Strength 90<br>
><br>
> Why Key Exchange is 100 % for <a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a> and 80 % for my domain<br>
> with the same configuration?<br>
<br>
</span>I don't think you've said what your domain is, so it's hard for anyone<br>
here to tell what's going on.<br>
<br>
I suspect the issue is that you are providing weak finite field<br>
Diffie-Hellman (FFDHE) groups for the cipher suites that use FFDHE key<br>
exchange, or that your server's TLS implementation doesn't support<br>
elliptic curve Diffie-Hellman (ECDHE).<br>
<br>
<a href="http://bettercrypto.org" target="_blank">bettercrypto.org</a> provides a ~4Kib group for the FFDHE ciphersuites, and<br>
uses nginx as its webserver (according to the Server: headers emitted by<br>
"wget -O/dev/null -S <a href="https://bettercrypto.org" target="_blank">https://bettercrypto.org</a>")<br>
<br>
If you're using older versions of Apache, you may not be able to adjust<br>
the FFDHE group size directly from the configuration.<br>
<span><font color="#888888"><br>
--dkg<br>
</font></span></blockquote></div><br></div></div></div></div></div></div></div>
</div><br></div>