Thursday, July 13, 2017 at 9:25:14 PM Hi David,
> How do we modify 4D Server to use a key exchange Chrome won’t shame? Just went down that path myself. Here's a tech note that has all the details: 10-07_SSLKeys_CipherList Here's a thread discussing it: http://4d.1045681.n5.nabble.com/RE-Most-Current-Cipher-List-for-4D-and-questions-regarding-OpenSSL-versions-being-used-td5749137.html#none Basically you want to call the following (before you start the web server): SET DATABASE PARAMETER (SSL cipher list ; $vList) where you set $vList to something like (recommended by Tim Penner): $vList:="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-"+"SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:A"+"ES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" The key bit is at the end, "!RC4", which removes this from the cipher list and should make Chrome happy. Also make sure your SSL certificate has been generated with SHA2 algorithm; if you have an older one with SHA1, browsers will complain about that, too. Nothing you can do in 4D to fix that; has to be a new certificate. Cheers! --Mike-- ------------------ On Jul 13, 2017, at 8:29 PM, David Ringsmuth <[email protected]> wrote: > Chrome is security shaming one of my sites with: > > The connection to this site uses a strong protocol (TLS 1.2), an obsolete key > exchange (RSA), and a strong cipher (AES_128_GCM). > > How do we modify 4D Server to use a key exchange Chrome won’t shame? > > Cipher list: > ECDHE-ECDSA-CHACHA20-POLY1305 > ECDHE-RSA-CHACHA20-POLY1305 > ECDHE-ECDSA-AES128-GCM-SHA256 > ECDHE-RSA-AES128-GCM-SHA256 > ECDHE-ECDSA-AES256-GCM-SHA384 > ECDHE-RSA-AES256-GCM-SHA384 > DHE-RSA-AES128-GCM-SHA256 > DHE-RSA-AES256-GCM-SHA384 > ECDHE-ECDSA-AES128-SHA256 > ECDHE-RSA-AES128-SHA256 > ECDHE-ECDSA-AES128-SHA > ECDHE-RSA-AES256-SHA384 > ECDHE-RSA-AES128-SHA > ECDHE-ECDSA-AES256-SHA384 > ECDHE-ECDSA-AES256-SHA > ECDHE-RSA-AES256-SHA > DHE-RSA-AES128-SHA256 > DHE-RSA-AES128-SHA > DHE-RSA-AES256-SHA256 > DHE-RSA-AES256-SHA > ECDHE-ECDSA-DES-CBC3-SHA > ECDHE-RSA-DES-CBC3-SHA > EDH-RSA-DES-CBC3-SHA > AES128-GCM-SHA256 > AES256-GCM-SHA384 > AES128-SHA256 > AES256-SHA256 > AES128-SHA > AES256-SHA > DES-CBC3-SHA > > David Ringsmuth > > _______________________________________________ > Active4D-dev mailing list > [email protected] > http://list.aparajitaworld.com/listinfo/active4d-dev > Archives: http://active4d-nabble.aparajitaworld.com/ _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
