[FOSDEM] fosdem.org does not support TLS 1.[12]

Tom Marble tmarble at info9.net
Wed Jan 15 17:06:19 CET 2014


All:

As everyone in our community can benefit from improving security
I thought I would share this observation with everyone.

I recently realized that Iceweasel, by default, is not configured
to not support the recent versions of TLS yet it accepts weak ciphers.

You can check your browser here (notably TLS version)
https://www.howsmyssl.com/

Here's how to fix this in Firefox
http://kb.mozillazine.org/Security.tls.version.*
I set security.tls.version.min = 2 (require at least TLS 1.1)
I set security.tls.version.max = 3 (support TLS 1.2)

As for the accepted ciphers I went to about:config, searched
for RC4 and set all variables to false. Now when I encounter
a website that insists on TLS 1.0 or RC4 I know it's
insecure (and I load it in another, vulnerable browser).

That's how I found fosdem.org doesn't support TLS 1.1 or 1.2.

Server Check
https://www.ssllabs.com/ssltest/analyze.html?d=fosdem.org
Currently TLS 1.1 and 1.2 are not supported!

Server Fix (TLS versions and cipher suites for PFS)
https://wiki.mozilla.org/Security/Server_Side_TLS

For example on my server I favor PFS and completely disable RC4, for example:

SSLProtocol             all -SSLv2
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLHonorCipherOrder     on
SSLCompression          off

Stay safe out there!

--Tom


More information about the FOSDEM mailing list