-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Werner, you (or anyone setting up a web server themselves really) might also find this config generator from Mozilla helpful as a shortcut in creating what is considered a modern web server config for TLS.
https://mozilla.github.io/server-side-tls/ssl-config-generator/ https://wiki.mozilla.org/Security/Server_Side_TLS This config may not apply to gnupg.org directly since its not clear what web server you are running. In any case it will tell you which suites you are recommended to support for modern(ish) browsers. I would also note that there is room for improvement regarding the security headers the gnupg.org sends with its content. https://securityheaders.io/?q=gnupg.org&followRedirects=on You are using HSTS, which is generally very good, but in this case it forcibly breaks users experience since it requires me to connect with TLS but that is not possible since you are not advertising a TLS suite that shares common ground with my browser (or millions of other potential visitors). Cheers. On 1/26/17 3:49 AM, Andrew Gallagher wrote: > On 26/01/17 00:16, Andrew Gallagher wrote: >> >> gnupg.org *does* keep 3DES at the end of the supported suites, >> so surely it should not be affected. I'm tempted to write this >> off as a mistake by ssllabs. > > I've spoken to ssllabs and it appears that this was an ambiguity > in the wording of their blog post. That means the downgrade to C > next month is legit - not because 3DES is present, but because 3DES > is present *and* GCM is absent. > > What both this and Glenn's Apple issue have in common is the lack > of ECDHE+GCM suites in the cipher list. I generally use the > following config in Apache: > > SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM > EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 > EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \ !aNULL > !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4" > > This uses all HIGH suites in a sensible order but still falls back > to 3DES for XP compatibility. When retiring 3DES this simplifies > to: > > SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM > EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 > EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL > !eNULL !PSK" > > Andrew. > > > > _______________________________________________ Gnupg-users > mailing list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliKRHYACgkQCiVDbdRD nGz5xg/7BITjIZlPTQ3dmTmbFx5/griGFF0gRD7oDelH7Diytqc2moQLJU0DfynZ JBDlOkLIidzhSYQMR6ce/wzq/McV/fEuHhKsDTxDtSgU0tGe02xwg4MXCopP3OB9 6iO0zw8VwysDz+H4TDvx+/8CqwUeOBk+oRDZybZgH3xgBDVc8YsuWSCQVZJZdDEG JEnolJeWz+fS28FFkqN+hEcmqOT0Cxo1fRXClM1hOBRCl4BxPrE5WeFYag3YT6/a Y33GXA6+v+5lcC2il5vQY4Y1Obdn3kYK9E/aRs2gRSmEVX7rQ8lbuPRpz3WVLqFp sUZ3BEvdXSjWPAG65xKopsaD+PnKpkzIKTcjQLy+3dx08A8l5V4wDSpjd9M86I7c h32vByUjYq/l5rVztP8ZOkW3tq6ParyVw22VyjJGcj0LlyBnAbgcrCbw2ZsVFFnr 72Q8lfMrK8B+2YHyVz68CM54K29OAsm459OdzCcN8MXUSp33ck2TYoJxhsT+qWR6 1N2y1kb+Noq6ewYktUCwUHwwLLIoOCa3UiF1lMTpziq/rNjz0sIcvpg1ml7GymO7 8/lqxX5OyEMVACXbVQkNtwhVMagih1CWPgwZHCZWiVk/2BS85sYou0kvsxZByW44 0vRWRAbgcMWPw7viD7gVY8SksmqGblJfogKTqD382Wjp/gk1FvM= =P0Vg -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
