> > May I further "criticize" that the HTTPS version of the wiki causes a >> mixed content warning although it only loads from cryptopp.com and >> www.cryptopp.com? >> > > OK, I thought we cleared the mixed content warnings. Can you provide > specific information, like a URL that produces the mixed content warning? > > Well, I had this warning when I wrote the mail, but I can't reproduce > right now. I think you may have fixed it or I interrupted you while you > we're fixing it :) >
Yeah, this may have been the logo on the wiki. It was being served over HTTP. It was one of the last changes made. But I was not getting a mixed content warning about it from Firefox (the half shield). Instead, I got the site does not identify itself warning (the triangle with the exclamation point). I wrote that off as a non-EV certificate. > > >> May I further question the web server's cipher suite preference? It >> prefers TLS_RSA_WITH_AES_256_CBC_SHA over >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 it looks like it's configured like >> something HIGH:MEDIUM:@STRENGTH >> Personally I'd prefer >> "EECDH+aRSA+AESGCM:EECDH+aRSA+AES:+EECDH+aRSA+AES+SHA1" which enforces >> ECDHE and RSA and prefers GCM over CBC+SHA2 over CBC+SHA1. >> > > Here are the two settings of interest from /etc/httpd/conf.d/ssl.conf : > > SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 > > I'm not sure if we need to support TLS v1.1 or if we can drop it. > The standard server test tells me we can drop it: > https://www.ssllabs.com/ssltest/analyze.html?d=cryptopp.com > as every client either negotiates v1.2 or v1.0 but none bothers > negotiating v1.1. > I don't think it matters, and it simplifies things for non-conforming TLS user agents. That is, most of the world uses TLS record layer version as a "min" version, and the client's TLS protocol version as a "max" version. There's no room for wholes. The IETF refuses to document the "min" and "max" TLS versions even though most user agents conform to it (https://www.ietf.org/mail-archive/web/tls/current/msg16440.html). Instead, we get those silly browser dances like TLS_FALLBACK_SCSV. Jeff -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
