Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
[opensuse] Re: opensuse sites *appear* not to be following recommended TLS settings.
Andrew Colvin wrote:
TLS1.0 and 1.1 are depricated and most websites have them turned off for security reasons the same as SSL version.
---
TLS1.0 is deprecated, but not 1.1.

The old browser may also not be able
to negotiate with the SHA2 certs as SHA1 is also past it life and most browsers and sites no longer support so if your browser cannot handle SHA2 then you will not connect.
---
Wouldn't matter. The opensuse sites I can't connecct
with only use SHA1.



Aditionally you may have old cipher support only and many of these are disabled on the servers for the health of the server.
----
Actually the problem was pretty much the opposite.
The opensuse server only had the weaker ones starting w/RSA
enabled. I'd disabled RSA as a first try and only had
the strong ones enabled.


I enabled a few of the RSA ciphers, which I'm told often
needs to be done for compatibility as many sites haven't
disabled the older ciphers for compatibility w/customers.


All things to check out
---
Did...and the problem was pretty much the opposite of
of what we were thinking.

Those who can't connect have their security settings set too high Opensuse only has 1 algorithm available for the
first part -- RSA which is deprecated by ssllabs.

thanks for the nudge -- (made me investigate what we being
send/offered...just that that whole strong/weak thing
got reversed)..



--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups