Hello Michael,
blueonyx server with enabled SSL actually only get a B rating at
https://www.ssllabs.com/ssltest/analyze.html
Reasons for that:
- Forward Secrecy is not enabled
- Certificate Transparency is not available
- existing of Weak Ciphers:
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEA
Hello again,
here is a new suggestion for only accepting strong ciphers and with PFS enabled:
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-A
Hi Dirk,
> blueonyx server with enabled SSL actually only get a B rating at
> https://www.ssllabs.com/ssltest/analyze.html
What the hell? I had checked it just a few days ago and we were getting
a rock solid "A" with them. If so, then their evaluation criteria must
just have changed or something
Hi Dirk,
Before we go any further: Please do a "yum clean all" and "yum update"
and restart Apache. Then check if you have an intermediate cert (if you
need one) for the GUI and for the Vsite in question. Then check again
with SSLlab. Test once against the FQDN of the server, then once against
the
Hello Michael,
are there different Ciphers for your and other 5209R Servers?
Please check:
https://www.ssllabs.com/ssltest/analyze.html?d=www.eloquia.com and
https://www.ssllabs.com/ssltest/analyze.html?d=www.excite-werbeagentur.de
both 5209R and both B-Rating
Funny fact
A 5208R (Sci
Hello Michael,
the servers are fully updated.
I did explicit a "yum clean all" and "yum update"
I did an additional test with a site where I did enable SSL today.
However my result is aways B with missing PFS.
> > here is a new suggestion for only accepting strong ciphers and with PFS
> > enable
Hi Dirk,
> are there different Ciphers for your and other 5209R Servers?
During the base-apache updates in the last 2-3 weeks to deal with the
SSL issues I went in an optimized our ciphers a little further. The
ciphers themselves didn't change much and it was just a small tweak. But
I also turned
Hi Dirk,
>> This doesn't work on EL7 or EL6. If this exact SSLCipherSuite is used,
>> Apache fails to restart:
>
> No this is not correct.
>
> I did replace the original SSLCipherSuite within a site with the
> SSLCipherSuite I posted and it is working with an A rating a no WEAK Ciphers
Yeah, I
Hi Dirk,
> SSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SH
I have created a completely new site, nothing has been uploaded and I try
and create a new Let's Encrypt Cert and get the following error:
- The following error occurred during the SSL certificate request:
The installation path for the certificates could not be determined.
I've che
Hi Richard,
> I’ve checked DNS is OK, there is nothing in .htaccess but there is also
> no letsencrypt.log that I can find either. I can see some entries in
> /var/log/messages but no detail.
The log is usually here: /var/log/letsencrypt/letsencrypt.log
Please check if your certbot executable th
Please ignore, it was a python-tools conflict that has been seen before.
Thanks.
Fixed with: rpm -e python27-tools-2.7.10-1.el6.x86_64
From: Richard Morgan :: Morgan Web [mailto:rich...@morgan-web.co.uk]
Sent: 13 March 2018 17:07
To: 'BlueOnyx General Mailing List'
Subject: Let's Encrypt E
Hi Richard,
> Please ignore, it was a python-tools conflict that has been seen before.
Very well.
--
With best regards
Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
Hi all,
Let's Encrypt releases wildcard support
See:
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
There are a few catches, though:
- Wildcard LE certificates are only available if ACMEv2 protocol is used
during the certificate request. We use "certb
14 matches
Mail list logo
