I will note that we should be disabling SSL3 too, and TLS 1.0 and 1.1 next year.
(moved to dev list where it is more appropriate) Chris On Jul 5, 2019, 05:32 +0100, ferrit...@yahoo.com, wrote: > Little more than a week ago I posted about the Security Certs for NS 3.8. I > was not aware at that time that NS 3.9 was already available (I was using a > link provided for D/L of 3.8). Since there has been other bugs/problems, I > thought to provide the actual results. The location of this Qualys Client > Test is > > https://www.ssllabs.com/ssltest/viewMyClient.html > > Presuming the Certs are within NS 3.8, it would appear that the "weak" certs > be removed for added security. I did not receive an answer to the question if > the certs are tapped from the Distribution or the Browser. So, here are the > results... > > > Protocols > TLS 1.3 No > TLS 1.2 Yes* > TLS 1.1 Yes* > TLS 1.0 Yes* > SSL 3 Yes* > SSL 2 No > > Cipher Suites (in order of preference) > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256 > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK 256 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) WEAK 256 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128 > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) WEAK 128 > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) WEAK 128 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) WEAK 256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) WEAK 128 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) WEAK 256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128 > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) WEAK 128 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) WEAK 256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) WEAK 128 > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) - > (1) When a browser supports SSL 2, its SSL 2-only suites are shown only on > the very first connection to this site. To see the suites, close all browser > windows, then open this exact page directly. Don't refresh. > > Protocol Details > Server Name Indication (SNI) Yes > Secure Renegotiation Yes > TLS compression No > Session tickets Yes > OCSP stapling No > Signature algorithms SHA512/RSA, SHA512/DSA, SHA512/ECDSA, SHA384/RSA, > SHA384/DSA, SHA384/ECDSA, SHA256/RSA, SHA256/DSA, SHA256/ECDSA, SHA224/RSA, > SHA224/DSA, SHA224/ECDSA, SHA1/RSA, SHA1/DSA, SHA1/ECDSA > Named Groups secp256r1, secp521r1, brainpoolP512r1, brainpoolP384r1, > secp384r1, brainpoolP256r1, secp256k1, sect571r1, sect571k1, sect409k1, > sect409r1, sect283k1, sect283r1 > Next Protocol Negotiation Yes > Application Layer Protocol Negotiation No > SSL 2 handshake compatibility No > > > Regards > Paul S. in CT >
