skinkie
commented
6 years ago Sadly I can't reason what Mozilla is developing. Have you asked support by them too?
Open fuzzball1980 opened 6 years ago
skinkie
commented
6 years ago Sadly I can't reason what Mozilla is developing. Have you asked support by them too?
fuzzball1980
commented
6 years ago Nop, my bad. I will ask them right now, Thanks!
Hi guys! I have been asked to disable TLSv1 TLSv1.1 on my site
I have been able to do it adding the following config on the cipher list
vserver!21!ssl_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE-RSA-CAMELLIA256-SHA:!AES256-SHA:!CAMELLIA256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AES128-SHA:!CAMELLIA128-SHA:!EDH-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:HIGH:!SSLv2:!DESede:!SSLv3
The problem is that on last Firefox version on Windows and Linux (not in Macos) I got the SSl_error_no_cypher_overlap error.
So I enabled TLSv1 and TLSv1.1 made a sslscan on my site and started to denied one by one the ciphers on TLSv1 and TLSv1.1 to find the one used by Firefox and I got this list that works on FF in linux and Windows.
Supported Server Cipher(s): Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred TLSv1.1 112 bits DES-CBC3-SHA
Preferred TLSv1.0 112 bits DES-CBC3-SHA
Preferred SSLv3 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits Accepted SSLv3 112 bits DES-CBC3-SHA
So, If I disable DES-CBC3-SHA I got the SSL_no_cipher_overlap error, looks like FF is not supporting TLSv1.2 by default or cant find any other matching cipher.
Any idea?
Thank you very much! Cesar.-