Closed gorbak25 closed 4 years ago
cytadela8
commented
4 years ago Used server config is https://ssl-config.mozilla.org/#server=nginx&version=1.10.0&config=intermediate&openssl=1.1.1d&guideline=5.4 This config choice assures compatibility with a little older browser like those found on mobile devices.
gorbak25
commented
4 years ago @cytadela8 Still ssllabs shows that 6 older phones which support TLS 1.2 can't connect(mostly IOS).
With my proposed configuration all older phones(tested by ssllabs) can connect and additionally you get an A+ rating: https://www.ssllabs.com/ssltest/analyze.html?d=aenodes.org&s=109.196.118.72
cytadela8
commented
4 years ago Ssllabs is not a reputable website. Please provide a reputable source for this proposed changes. I suggest we go with Mozilla recommendations.
cytadela8
commented
4 years ago Also TLS1.3 is not supported by our version of nginx.
gorbak25
commented
4 years ago @cytadela8 the proposed configuration is the default nginx ingress configuration used in kubernetes clusters. In order to improve the rating enabling TLS 1.3 is not necessary, all that's necessary is to change the TLS 1.2 cipher suite to not use plain DH.
cytadela8
commented
4 years ago Please open this issue with upstream: https://github.com/mozilla/ssl-config-generator/
gorbak25
commented
4 years ago @cytadela8 I've done some research, the problem is that our rating is capped because we are using common DH parameters which might have been broken by state adversaries. Nginx and OpenSSL supports custom DH groups and it is recommended to use a custom DH group when possible.
openssl dhparam -out dhparam.pem <bit_size>where bit_size is either 2048 or 4096 and adding to the nginx configuration:
ssl_dhparam {path to dhparams.pem};will improve our ssllabs rating.
cytadela8
commented
4 years ago Replaced dhparams with 2048 bit ones.
https://www.ssllabs.com/ssltest/analyze.html?d=warsztatywww.pl
Right now we have only a B rating. In order to improve our rating we need to configure nginx to use more secure SSL ciphers, let's say for TLS 1.2 a reasonable configuration would be: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Additionally we could enable TLS 1.3 which is supported by nginx with the following ciphers: TLS_AES_256_GCM_SHA384 (0x1302) TLS_CHACHA20_POLY1305_SHA256 (0x1303) TLS_AES_128_GCM_SHA256 (0x1301)
While messing with the nginx configuration we could additionally enable HTTP 2.0
The proposed configuration would result in an A+ rating.