On Sat, 7 Mar 2015 14:33:20 +0000 (UTC) Stuart Henderson wrote: > I just tried a handful of online banking sites in the qualys checker. > Only *one* of the ones I tried (nice job triodos) supports PFS at all.
Cool, we opened an account with triodos last week too. I always knew SSL allows DOS amplification and so enforce it sparingly and hope "let's encrypt" never make ssl everywhere (apparently it's goal stated by eff) a requirement and that sites don't get penalised for actually being more correct (secure flagged cookies and http forced where it's not needed and https forced where it is). Checking my server it seems my pf.conf isn't quite as useful as I thought due to renegotiation DOS. Do you have to recompile to make libressl use one tcp connection for each ssl connection? "https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks?_ga=1.63559143.959666665.1426613959"; And I need to upgrade my certs to sha2. I assumed they already were and will have to work out if it's my knobless csr generation or startssl's cert creation? Fingerprint: 075ef0c469bd99fecc1545c018ab70eaee3703ef RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 2 Sent by server StartCom Class 1 Primary Intermediate Server CA Fingerprint: f691fc87efb3135354225a10e127e911d1c7f8cf RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 3 In trust store StartCom Certification Authority Self-signed Fingerprint: a3f1333fe242bfcfc5d14e8f394298406810d1a0 RSA 4096 bits (e 65537) / SHA256withRSA
