Closed Xarthisius closed 6 years ago
@Xarthisius Could you share the specific problems? I just ran ssllabs test and it came back with an A. Is the problem that TLS 1.0 and 1.1 are enabled?
$ nmap -sV --script ssl-enum-ciphers -p 443 dashboard.wholetale.org
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-17 11:07 CDT
Nmap scan report for dashboard.wholetale.org (129.114.104.183)
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-server-header: nginx/1.12.1
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
We need to get rid of those with grade C. I tried doing that for .dev.wholetale.org
with the following changes to the traefik
config:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
#MinVersion = "VersionTLS12"
#CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"]
MinVersion = "VersionTLS10"
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
but it actually decreased the rating by SSLlabs...
Using your commented config above on staging with min version 1.1:
[entryPoints.https.tls]
MinVersion = "VersionTLS11"
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"]
nmap looks happy (no Cs)":
$ nmap -sV --script ssl-enum-ciphers -p 443 dashboard.stage.wholetale.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-19 11:56 CDT
Nmap scan report for dashboard.stage.wholetale.org (149.165.168.151)
Host is up (0.0027s latency).
rDNS record for 149.165.168.151: girder.stage.wholetale.org
PORT STATE SERVICE VERSION
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-server-header: nginx/1.14.0
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Qualys SSL Labs gives an A.
Security audit found that:
See https://mozilla.github.io/server-side-tls/ssl-config-generator/