SSL certificate rating (C)

Questions and Answers : Web site : SSL certificate rating (C)

To post messages, you must log in.

AuthorMessage
Customminer

Send message
Joined: 4 Apr 14
Posts: 1
Credit: 77,596
RAC: 0
Message 79952 - Posted: 27 Apr 2016, 22:12:31 UTC
Last modified: 27 Apr 2016, 22:14:21 UTC

Hey,

I checked SSL support for all BOINC projects yesterday in the following thread:
https://boinc.berkeley.edu/dev/forum_thread.php?id=10973

The users in the thread suggested reaching out to all affected projects, so here I am!

Rossetta@Home only has a 'C' ranking according to ssllabs: https://www.ssllabs.com/ssltest/analyze.html?d=www.malariacontrol.net

Would it be possible to reconfigure your SSL certificate/settings to be better than C?

Thanks
ID: 79952 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Mod.Sense
Volunteer moderator

Send message
Joined: 22 Aug 06
Posts: 4018
Credit: 0
RAC: 0
Message 79961 - Posted: 28 Apr 2016, 14:55:15 UTC
Last modified: 28 Apr 2016, 15:01:57 UTC

The URL you posted points to another BOINC project. Here is the link for R@h
https://www.ssllabs.com/ssltest/analyze.html?d=boinc.bakerlab.org

I've EMailed DK asking he check it out.
Rosetta Moderator: Mod.Sense
ID: 79961 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Keith E. Laidig
Volunteer moderator
Project developer
Avatar

Send message
Joined: 1 Jul 05
Posts: 154
Credit: 117,189,961
RAC: 0
Message 79962 - Posted: 28 Apr 2016, 19:18:55 UTC

Howdy. I'll look into this and see what I we can do. -KEL

ID: 79962 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
[CSF] Aleksey Belkov

Send message
Joined: 12 Apr 17
Posts: 1
Credit: 1,307,397
RAC: 0
Message 81420 - Posted: 12 Apr 2017, 18:52:21 UTC

1) All servers but one(128.95.160.140) have rating F.

At minimum, on all servers must be set only strong encryption(

SSLCipherSuite HIGH:!kECDH:!aNULL:!eNULL:!PSK:!DSS:!MD5

)to solve:

This server supports insecure cipher suites (see below for details). Grade set to F.

2)To solve:

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.

It's needed to upgrade OpenSSL at least to 1.0.1 branch(1.0.1u last) and set:

SSLProtocol All -SSLv2 -SSLv3


3) To solve:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

It's needed to upgrade Apache at least to 2.2.30 version:

Custom DH parameters and an EC curve name for ephemeral keys, can be added to end of the first file configured using SSLCertificateFile. This is supported in version 2.2.30 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type.

You can obtain the appropriate settings in this сonfigurator:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
ID: 81420 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Questions and Answers : Web site : SSL certificate rating (C)



©2022 University of Washington
https://www.bakerlab.org