Closed nabadger closed 3 years ago
When configured to listen on SSL TLSv1.0 still supported (we should drop it)
| ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Forward Secrecy not supported by any cipher |_ least strength: C
Most likely set min to TLSv1.2:.
Also not sure why we've set a max version tls.VersionTLS12 - should probably avoid specifying this.
Also noted that the error handling around tls certs is poor here (i.e. if the file doesn't exist, so fix that too).
When configured to listen on SSL TLSv1.0 still supported (we should drop it)
Most likely set min to TLSv1.2:.
Also not sure why we've set a max version tls.VersionTLS12 - should probably avoid specifying this.
Also noted that the error handling around tls certs is poor here (i.e. if the file doesn't exist, so fix that too).