Ah. Thank you! :-) tis 15 aug. 2017 kl. 14:06 skrev Ronan Viel <[email protected]>:
> Hi, > > SSL Labs don’t like 3DES whose key length is considered 112 bits and not > 168 bits because it may be subject to meet-in-the-middle attack. > Remove it by adding the line below to your server definition: > tls cipher "HIGH:!aNULL:!3DES" > > Ronan > > > Le 15 août 2017 à 09:54, Andreas Thulin <[email protected]> a > écrit : > > > > Hi! > > > > I run httpd on 6.1-stable (thanks to all of you who make that possible!), > > with a pretty vanilla tls setup. When testing the server on ssllabs.com, > > results say that > > > > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > > > > is considered weak. How should I interpret that information, as you see > it? > > And shouldn't default cipher strengths be >= 128? I have probably > > misunderstood something, so any pointers in the right direction would be > > lovely. > > > > Link to my test result: > > https://www.ssllabs.com/ssltest/analyze.html?d=esoteric.andreasthulin.se > > > > My httpd.conf (which I'd like to keep very simple): > > # www.andreasthulin.se - HTTP > > server "www.andreasthulin.se" { > > alias "esoteric.andreasthulin.se" > > hsts subdomains > > listen on * port 80 > > listen on * tls port 443 > > tls certificate "/etc/ssl/esoteric.andreasthulin.se.fullchain.pem" > > tls key "/etc/ssl/private/esoteric.andreasthulin.se.key" > > root "/htdocs/andreasthulin.se" > > location "*.php" { > > fastcgi socket "/run/php-fpm.sock" > > } > > location "/.well-known/acme-challenge/*" { > > root "/acme" > > root strip 2 > > } > > directory { index "index.php" } > > } > > > > BR, Andreas > >
