Closed tcastelli closed 8 years ago
arunoda
commented
9 years ago We use this set of chiphers to support older IEs.
May be we need to use it's modern set of chipers forgetting older version of IEs. I think we can do it. I'll do a update soon. and publish this.
Then doing mup setup again fix this.
tcastelli
commented
9 years ago Thanks!
tcastelli
commented
9 years ago I saw this repo being updated to changed the problem, but it wasn't published, is it giving any errors on your tests?
arunoda
commented
9 years ago Actually, I only updated chipers. But you were asked to provide a custom DHParams pem file. Now I can see it.
We'll have a default file and I'll make sure you can update it manually as well.
tcastelli
commented
9 years ago okay thanks :+1:
sferoze
commented
9 years ago I got this same issue. After added SSL and running a scan using https://www.ssllabs.com I am getting a B report due to This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
Is this updated already pushed? I am running the latest version '1.5.3
sferoze
commented
9 years ago I am also getting this warning when visiting my site deployed with mupx ssl support
Your connection to mydomain.com is encrypted using a modern cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.This warning is shown when I click the little lock icon next the the URL in the browser when I visit my site. The text is shown next to a lock with yellow !
frabrunelle
commented
8 years ago :+1: It would be great to have this issue solved! I get the following warning from weakdh.org.
Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.
madewithyou
commented
8 years ago Still got a warning for this. And locked to grade B on SSLlabs. It would be really great to solve this https://weakdh.org/. Anyone find a way to solve this?
edmundkwok
commented
8 years ago Tried a fix in my fork. It generates a strong DH key, updates nginx's ssl_ciphers and ssl_dhparam as per https://weakdh.org/sysadmin.html. Getting A+ from https://www.ssllabs.com but please test if it works for you too :)
Also added the image on Docker Hub - edmundkwok/mup-frontend-server so you can do:
docker run edmundkwok/mup-frontend-serverWill submit a PR if it's good with @arunoda :wink:
madewithyou
commented
8 years ago Great @edmundkwok, It's work well -> A+. Thanks a lot!
arunoda
commented
8 years ago @edmundkwok Sounds great. Send me a PR.
edmundkwok
commented
8 years ago @guilcorp Thanks for testing, glad it worked for you too! @arunoda Awesome, will send a PR :smile:
After calling ssl labs validation i get this from the ssl configuration from repo's nginx.conf This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
A way to solve this (from ssl labs is to run)
openssl dhparam -out dhparams.pem 2048and in nginx.conf change
I was trying to change nginx.conf by creating a volume that replaces the one in /lib but i can't make it work, so since this is a general security concern maybe this repo could be updated with this modification :) (By default we could use a precompiled dhparams.pem, and it could be replaced by mupx conf file in ssl section)