Closed tcastelli closed 8 years ago
We use this set of chiphers to support older IEs.
May be we need to use it's modern set of chipers forgetting older version of IEs. I think we can do it. I'll do a update soon. and publish this.
Then doing mup setup
again fix this.
Thanks!
I saw this repo being updated to changed the problem, but it wasn't published, is it giving any errors on your tests?
Actually, I only updated chipers. But you were asked to provide a custom DHParams pem file. Now I can see it.
We'll have a default file and I'll make sure you can update it manually as well.
okay thanks :+1:
I got this same issue. After added SSL and running a scan using https://www.ssllabs.com I am getting a B report due to This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
Is this updated already pushed? I am running the latest version '1.5.3
I am also getting this warning when visiting my site deployed with mupx ssl support
Your connection to mydomain.com is encrypted using a modern cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
This warning is shown when I click the little lock icon next the the URL in the browser when I visit my site. The text is shown next to a lock with yellow !
:+1: It would be great to have this issue solved! I get the following warning from weakdh.org.
Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.
Still got a warning for this. And locked to grade B on SSLlabs. It would be really great to solve this https://weakdh.org/. Anyone find a way to solve this?
Tried a fix in my fork. It generates a strong DH key, updates nginx's ssl_ciphers and ssl_dhparam as per https://weakdh.org/sysadmin.html. Getting A+ from https://www.ssllabs.com but please test if it works for you too :)
Also added the image on Docker Hub - edmundkwok/mup-frontend-server so you can do:
docker run edmundkwok/mup-frontend-server
Will submit a PR if it's good with @arunoda :wink:
Great @edmundkwok, It's work well -> A+. Thanks a lot!
@edmundkwok Sounds great. Send me a PR.
@guilcorp Thanks for testing, glad it worked for you too! @arunoda Awesome, will send a PR :smile:
After calling ssl labs validation i get this from the ssl configuration from repo's nginx.conf This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
A way to solve this (from ssl labs is to run)
openssl dhparam -out dhparams.pem 2048
and in nginx.conf change
I was trying to change nginx.conf by creating a volume that replaces the one in /lib but i can't make it work, so since this is a general security concern maybe this repo could be updated with this modification :) (By default we could use a precompiled dhparams.pem, and it could be replaced by mupx conf file in ssl section)