Am 01.09.2015 um 16:43 schrieb Jeffrey Walton: > > > May I further "criticize" that the HTTPS version of the wiki > causes a mixed content warning although it only loads from > cryptopp.com <http://cryptopp.com> and www.cryptopp.com > <http://www.cryptopp.com>? > > > OK, I thought we cleared the mixed content warnings. Can you provide > specific information, like a URL that produces the mixed content warning? Well, I had this warning when I wrote the mail, but I can't reproduce right now. I think you may have fixed it or I interrupted you while you we're fixing it :) > > > May I further question the web server's cipher suite preference? > It prefers TLS_RSA_WITH_AES_256_CBC_SHA over > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 it looks like it's > configured like something HIGH:MEDIUM:@STRENGTH > Personally I'd prefer > "EECDH+aRSA+AESGCM:EECDH+aRSA+AES:+EECDH+aRSA+AES+SHA1" which > enforces ECDHE and RSA and prefers GCM over CBC+SHA2 over CBC+SHA1. > > > Here are the two settings of interest from /etc/httpd/conf.d/ssl.conf : > > SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 I'm not sure if we need to support TLS v1.1 or if we can drop it. The standard server test tells me we can drop it: https://www.ssllabs.com/ssltest/analyze.html?d=cryptopp.com as every client either negotiates v1.2 or v1.0 but none bothers negotiating v1.1. > SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 > > Out of curiosity, what part of the site needs forward secrecy? > Everything that can be downloaded over HTTPS is available over HTTP, > and its available to everyone. The Log-In page? And you may also call it personal preference to optimize such things which can be fixed by a single line replacement. And as optimal I'd consider doing GCM whenever possible and requiring ECDHE and AES as there's no good excuse not to support it today IMO.
BR JPM > > Jeff > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google > Groups "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
