undefined | Better HN

0 pointsjcoby11y ago0 comments

AFAIK it's also impossible to get an A+ if you want to support older browsers and OSs (the intermediate and old settings from this site) due to BEAST. Seems like XP, Vista, and IE <= 9 were all affected by using the modern cypher suite from Mozilla (they all got a F).

I wasn't able to find a way to do server-side BEAST mitigation that didn't involve re-enabling RC4 ciphers (which is a far worse option). SSLLabs automatically downgrades any site that doesn't do BEAST mitigation to an A-.

I also was unable to get forward-secrecy working with all reference browsers using the intermediate setting.

0 comments

3 comments · 1 top-level

jvehent11y ago· 2 in thread

I'm not sure how you got those results. I am certainly getting an A+ with the intermediate configuration and HAProxy. https://www.ssllabs.com/ssltest/analyze.html?d=jve.linuxwall...

jcobyOP11y ago

Turns out I was remembering wrong. The A- downgrade was from not supporting forward-secrecy in all reference browsers which is an issue with openssl than the recommended cipher suites.

IgorPartola11y ago

I think it is impossible to max out the various bars in the bar graph with these configurations (at least up to intermediate), but you can easily get A+ with latest stable nginx and intermediate config.

j / k navigate · click thread line to collapse