[Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
Hey, all. I was just having a look at a few institutional DSpace instances, and noticing that they are using sub-par cryptography. Unless you have a specific need to use SHA1, AES-CBC, RC4, MD5, or non-DHE RSA, you should REALLY be using the TLS cipher suite from this Mozilla guide: https://wiki.mozilla.org/Security/Server_Side_TLS They have copy/paste-able strings for Apache httpd and Nginx web servers. Obviously test in a development server first... but really, this is a trivial change. You went to the trouble of buying TLS certs and setting up HTTPS, so you might as well do it right! -- Alan Orth alan.o...@gmail.com http://alaninkenya.org http://mjanja.co.ke I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. -Bjarne Stroustrup, inventor of C++ GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 signature.asc Description: OpenPGP digital signature -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
Hi Alan Any advice here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Secure_Internet_Connections, would be appreciated. Cheers hg *Hilton Gibson* Ubuntu Linux Systems Administrator JS Gericke Library Room 1025C Stellenbosch University Private Bag X5036 Stellenbosch 7599 South Africa Tel: +27 21 808 4100 | Cell: +27 84 646 4758 On 13 September 2014 19:59, Alan Orth alan.o...@gmail.com wrote: Hey, all. I was just having a look at a few institutional DSpace instances, and noticing that they are using sub-par cryptography. Unless you have a specific need to use SHA1, AES-CBC, RC4, MD5, or non-DHE RSA, you should REALLY be using the TLS cipher suite from this Mozilla guide: https://wiki.mozilla.org/Security/Server_Side_TLS They have copy/paste-able strings for Apache httpd and Nginx web servers. Obviously test in a development server first... but really, this is a trivial change. You went to the trouble of buying TLS certs and setting up HTTPS, so you might as well do it right! -- Alan Orth alan.o...@gmail.com http://alaninkenya.org http://mjanja.co.ke I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. -Bjarne Stroustrup, inventor of C++ GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
On Sat, Sep 13, 2014 at 8:43 PM, Hilton Gibson hilton.gib...@gmail.com wrote: Any advice here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Secure_Internet_Connections, would be appreciated. See the ciphers attribute here: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
Thx Helix Who is the arbiter safe ciphers? I am not a cipher expert. Cheers hg *Hilton Gibson* Ubuntu Linux Systems Administrator JS Gericke Library Room 1025C Stellenbosch University Private Bag X5036 Stellenbosch 7599 South Africa Tel: +27 21 808 4100 | Cell: +27 84 646 4758 On 13 September 2014 21:00, helix84 heli...@centrum.sk wrote: On Sat, Sep 13, 2014 at 8:43 PM, Hilton Gibson hilton.gib...@gmail.com wrote: Any advice here: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Secure_Internet_Connections , would be appreciated. See the ciphers attribute here: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
On Sat, Sep 13, 2014 at 9:05 PM, Hilton Gibson hilton.gib...@gmail.com wrote: Who is the arbiter safe ciphers? I am not a cipher expert. There's no arbiter. The set changes over time as new vulnerabilities are found in existing ciphers and new ciphers are developed to mitigate those attack vectors. A cipher might look good on paper, but only widespread use reveals its weaknesses. Then there is the natural deprecation of shorter key sizes, which is required as new computers gets faster. Furthermore, errors exist in PRNGs, which encryption vitally depends on. The only way is to keep up to date on this information. That's why the Mozilla list Alan mentioned helps - they watch it for you and give you their recommendations. Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette