I've been doing some work on the LUV server and noticed that it was supporting old SSL protocols. I disabled TLS 1.1 as ssllabs will no longer give a rating higher than B to a site that uses it, with that change we get an A+! I think this is no big deal as this only prevents access from Android below version 5.0 (NB Chrome on Android 4.x works fine, it's the Android internal browser that no-one would ever want to use on our site that fails), and some particularly ancient versions of Safari and IE. https://www.ssllabs.com/ssltest/analyze.html? d=www.luv.asn.au&s=46.4.124.163&latest The above URL gives the test results. I disabled all the weaker ciphers that aren't being used. The cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is weak but is required to support IE11 on Windows versions before 10 and Safari versions before 9. Is it worth keeping? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Tuesday, 10 November 2020 10:26:38 AM AEDT Russell Coker via luv-main wrote:
The cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is weak but is required to support IE11 on Windows versions before 10 and Safari versions before 9. Is it worth keeping?
It turns out that IE11 on Windows <10 used that cipher if the server didn't ask it not to. When I specified that cipher as the lowest priority IE11 on all platforms other than Windows Phone 8.1 (non-update) didn't use it, Windows phone 8.1 update supported better ciphers with IE11. That left Safari < 9 as the only possibility of problems. I doubt that anyone is trying to access our site from a version of Safari that's more than 5 years out of date. So I have disabled that cipher. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
participants (1)
-
Russell Coker