Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
[opensuse] Re: opensuse sites *appear* not to be following recommended TLS settings.
Mathias Homann wrote:
I'm not sure what caused the OP's problems;
---
opensuse only supports RSA, which should be off.
I had it off (only ECDH + DH on). So no overlap to talk.
Turned on the weak RSA, and I could talk again.

I did run the qualy ssl labs server test against https://www.suse.com and the result was actually embarrassing...

https://www.ssllabs.com/ssltest/analyze.html?d=www.suse.com
Seriously? Grade B? Only weak ciphers enabled? wtf?


Did it against forums.opensuse.org and got 2 reasons why grade
was capped to B:

This server does not support Forward Secrecy with the reference browsers. Grade capped to B. This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B.

For TLS:

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes

(TLS 1.3 hasn't been widely adopted ...)...but TLS 1.0, most agree
it should be off. But fact that it is on -- indicates it's not
my TLS version that's a problem.

My browser starts w/TLS1.1 and offers 1.2


TLS1.2 Ciphers:
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK


# TLS 1.1 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK


Uses common DH primes No, DHE suites not supported
DH public server param (Ys) reuse No, DHE suites not supported
ECDH public server param reuse No, ECDHE suites not supported
-----
^^^This is the problem^^^

opensuse only supports RSA, which is flawed and the
advice I was given was to turn off RSA -- so no connection.
I turn on RSA and can connect again.






--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >