Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
[opensuse] Re: opensuse sites *appear* not to be following recommended TLS settings.
Mathias Homann wrote:
I'm not sure what caused the OP's problems;
opensuse only supports RSA, which should be off.
I had it off (only ECDH + DH on). So no overlap to talk.
Turned on the weak RSA, and I could talk again.

I did run the qualy ssl labs server test against and the result was actually embarrassing...
Seriously? Grade B? Only weak ciphers enabled? wtf?

Did it against and got 2 reasons why grade
was capped to B:

This server does not support Forward Secrecy with the reference browsers. Grade capped to B. This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B.

For TLS:

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes

(TLS 1.3 hasn't been widely adopted ...)...but TLS 1.0, most agree
it should be off. But fact that it is on -- indicates it's not
my TLS version that's a problem.

My browser starts w/TLS1.1 and offers 1.2

TLS1.2 Ciphers:

# TLS 1.1 (suites in server-preferred order)

Uses common DH primes No, DHE suites not supported
DH public server param (Ys) reuse No, DHE suites not supported
ECDH public server param reuse No, ECDHE suites not supported
^^^This is the problem^^^

opensuse only supports RSA, which is flawed and the
advice I was given was to turn off RSA -- so no connection.
I turn on RSA and can connect again.

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >