Closed sindarina closed 8 years ago
This is one of those cases where the mediocre settings hide behind an A- rating and the EV certificate. Should be upgraded if possible, or at least optimised by enabling server-side cipher ordering and switching to 2048-bit DH keys if the Apache version allows for it. A front-end proxy such as nginx might also be an option.
Notified via email: security@dpd.zendesk.com (published security email address)
Acknowledged via ticket on May 5th.
A bit better, but issues still remain;
Cipherscan Analysis
getdpd.com:443 has intermediate with bad ordering ssl/tls
Changes needed to match the intermediate level:
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
* increase priority of AES256-GCM-SHA384 over DHE-RSA-CAMELLIA256-SHA
* increase priority of DHE-RSA-AES128-GCM-SHA256 over CAMELLIA256-SHA
* increase priority of AES128-GCM-SHA256 over DHE-RSA-CAMELLIA128-SHA
* fix ciphersuite ordering, use recommended intermediate ciphersuite
Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
No server-side cipher ordering yet though. Why would that take this long to activate?
In light of the details of the Logjam attack (https://weakdh.org/), we are upgrading 1024-bit DH keys to a red level issue that should be resolved, as that key size puts it within reach of state-level adversaries and is no longer considered safe.
See https://github.com/isvsecwatch/httpstracker#a-note-on-dhdhe for details.
Due to the recent changes in the SSL Server Test, this now caps at 'B'; https://www.ssllabs.com/ssltest/analyze.html?d=getdpd.com
No change.
No change.
No change. SHA1 certificate expires in five days, perhaps that'll mean an update to SHA2.
Re-poked via email, on the two-month old ticket.
Still no server-side cipher ordering, no robust Forward Secrecy.
No change.
Unlikely to have changed, closing as unresolved.
SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=getdpd.com (A-)
Cipherscan Results
Cipherscan Analysis