I just checked the SSL security with SSLLabs (https://www.ssllabs.com/ssltest/). It seems the default configuration allows Diffie Hellman key exchange (D-H) for the nginx configuration which is not secure anymore. Currently the ssl ciphers are set to
the solution would be to set them to
in all nginx configuration files.
The solution has been discussed here (Yunohost, Let’s Encrypt, A+ au SSLLabs) but I wonder if there is any plan in removing D-H from the default configuration (I know this will break compatibility with Windows XP)? One can of course modify the configuration manually but this always risks breaking the configuration/application with upcoming Yunohost updates hence this is - in my opinion - not the best of ideas.
thanks for bringing this up. There was some plan to automatically generate DH params as a background task after installation and ‘activate’ them once they’re ready. I didn’t know DH params (or cyphers using DH params?) were not considered safe anymore.
We could definitely use some advice here regarding which cypher to use (or more generally general recommendations about security and what should the default parameters be). Personally I’d be okay with dropping compatibility with Windows XP because this is madness. (Imho we want compatibility for Win7 though).
Do you know about which important compatibility the settings you suggest would break also ? Or any pointers to resources that explain that ? (After writing about it, I realize maybe ssllabs provide such info )
unfortunatetly I am not a security/cryptography expert. I would recommend executing a test with the SSLLabs analyzer (takes about 120 secs each IP for my domain). It’s quite extensive and lists results for:
Cipher suites (including security ratings)
Compatibility with major devies (Windows, browsers, mobiles)
After the result (which is a “B”, so it’s not a total critical issue ) I looked up the problem and I did remember reading about the possibilitiy of reducing the security of D-H ciphers some time ago. It seems it is possible to reduce the cipher strength making D-H cipher key lengths of 768-1024 bit practically attackable (you know, with a super computer).
One additional note: on a website (I don’t remember which) it was stated that removing D-H would break with Windows XP running IE as browser. Seeing the current handshake simulation by SSLLabs again it seems the current implementation already breaks the handshake anyway .