SSL config on inkscape.org
Hello,
I hope that someone feeling responsible for the Inkscape website is reading this. Would it be possible to change the SSL used by inkscape.org to offer something modern and maybe disable old and weak cyphers? I have disabled the broken ones in my browser and can't reach the website any more. See [0] for details.
Tobias
[0] https://www.ssllabs.com/ssltest/analyze.html?d=inkscape.org&hideResults=...
2015-08-21 11:17 GMT+02:00 Tobias Ellinghaus <houz@...173...>:
Hello,
I hope that someone feeling responsible for the Inkscape website is reading this. Would it be possible to change the SSL used by inkscape.org to offer something modern and maybe disable old and weak cyphers? I have disabled the broken ones in my browser and can't reach the website any more. See [0] for details.
Tobias
[0] https://www.ssllabs.com/ssltest/analyze.html?d=inkscape.org&hideResults=...
Hi Tobias Can you be a bit more specific? Which cipher suites have you disabled because they are broken?
The SSL Labs report you link to gives an A grade and only A+ is better (usually requires HSTS and extra features for top score). The report clearly state that suitable connections can be made with TLS 1.2, 1.1 and 1.0. Downgrade to SSLv3 is not possible which is also good.
Regards
Am Freitag, 21. August 2015, 13:19:57 schrieb Christoffer Holmstedt:
2015-08-21 11:17 GMT+02:00 Tobias Ellinghaus <houz@...173...>:
Hello,
I hope that someone feeling responsible for the Inkscape website is reading this. Would it be possible to change the SSL used by inkscape.org to offer something modern and maybe disable old and weak cyphers? I have disabled the broken ones in my browser and can't reach the website any more. See [0] for details.
Tobias
[0] https://www.ssllabs.com/ssltest/analyze.html?d=inkscape.org&hideResults=... n
Hi Tobias Can you be a bit more specific? Which cipher suites have you disabled because they are broken?
The SSL Labs report you link to gives an A grade and only A+ is better (usually requires HSTS and extra features for top score). The report clearly state that suitable connections can be made with TLS 1.2, 1.1 and 1.0. Downgrade to SSLv3 is not possible which is also good.
This is really strange, when I last checked a few days ago this was definitely different. However, you are only providing DHE_RSA variants, which is potentially harmed by the latest Diffie Hellmann issues (your 2048 bit key should be fine though). Could you maybe add some ECDHE_RSA?
https://weakdh.org/sysadmin.html
Regards
Thanks in advance Tobias
On Fri, 2015-08-21 at 16:12 +0200, Tobias Ellinghaus wrote:
The SSL Labs report you link to gives an A grade and only A+ is
better
(usually requires HSTS and extra features for top score). The report clearly state that suitable connections can be made with TLS 1.2,
1.1
and 1.0. Downgrade to SSLv3 is not possible which is also good.
This is really strange, when I last checked a few days ago this was definitely different. However, you are only providing DHE_RSA variants, which is potentially harmed by the latest Diffie Hellmann issues (your 2048 bit key should be fine though). Could you maybe add some ECDHE_RSA?
Please try again now. The new set has taken our score down a notch, but if it makes it work for more people I'm happy to keep a lower score.
Martin,
Am Freitag, 21. August 2015, 10:34:46 schrieb Martin Owens:
On Fri, 2015-08-21 at 16:12 +0200, Tobias Ellinghaus wrote:
The SSL Labs report you link to gives an A grade and only A+ is
better
(usually requires HSTS and extra features for top score). The report clearly state that suitable connections can be made with TLS 1.2,
1.1
and 1.0. Downgrade to SSLv3 is not possible which is also good.
This is really strange, when I last checked a few days ago this was definitely different. However, you are only providing DHE_RSA variants, which is potentially harmed by the latest Diffie Hellmann issues (your 2048 bit key should be fine though). Could you maybe add some ECDHE_RSA?
Please try again now. The new set has taken our score down a notch, but if it makes it work for more people I'm happy to keep a lower score.
Much better, even without ECDHE. Thanks.
Martin,
Tobias
participants (3)
-
Christoffer Holmstedt -
Martin Owens -
Tobias Ellinghaus