search

standardnotes / forum

Support from other community members. For 1-on-1 help, please contact help@standardnotes.com.
https://forum.standardnotes.org
196 stars 9 forks source link

sync.standardnotes.org TLS1.0 enabled #2003

Closed dddw closed 5 years ago

dddw commented 6 years ago

Hi,

Thanks for this great project. I'm slowly merging all my notes from multiple sources into standardnotes. Mainly because encryption is what I lack now in my current setup. I'm did a quick SSL check on sync.standardnotes.org some months ago and it looked perfect, however TLS1.0 has been droppped recently.

Qualys ssl labs analyze.

Also I'd like to mention the nice project standardnotes-fs, which is a great addendum!

moughxyz commented 6 years ago

Thanks, I'll have to review our SSL status again soon. Disabling TLS1.0 might alienate older browsers, so I'll just need to make sure we don't hurt any users by doing this.

josharcheruk commented 5 years ago

Not sure if this will be helpful or not but to save you a tiny bit of time, I switched to TLS 1.2 some time back with the following ciphers:

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS';

That should support as old as browsers can go with TLS 1.2 and still get you PFS. It's been a while since I dived into it but I remember researching these for some time to get the balance.

My server doesn't support all the modern ciphers as it's due an upgrade, but their inclusion here was to future proof the upgrade when it did happen, and it doesn't affect older browsers, just some of the more efficient modern algorithms for mobile etc. So, in the Qualy Labs result you'll see it using a smaller subset but still being effective coverage for most browsers - even works on IE in XP if users have enabled TLS1.2 support.

https://www.ssllabs.com/ssltest/analyze.html?d=forums.squarepenguin.co.uk&s=45.77.91.187&latest

Anyway, hope that helps is some way.

moughxyz commented 5 years ago

Great, thanks for that snippet @PuffinBlue!

moughxyz commented 5 years ago

Sorry, forgot to update this issue. TLS 1.0 had been disabled shortly after that last comment.