Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SSL Encryption Settings #616
I've like to disable TLS 1.0 and only use TLS 1.1 and TLS 1.2.
What can I do to edit these settings?
Sounds good, thank you! I'm new to snaps, so you know best anyways! Simon Hollenbach <email@example.com> schrieb am Mo., 18. Juni 2018, 18:21:…
Unfortunately, it's not as easy as that, as the content of the snap itself is immutable. I think this issue is a feature request, and an easy one at that, and will tag it accordingly. If you disagree, just let us know. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#616 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AP70eOe3zjvYHh6sJcLRyJOMn_8aU3TJks5t99OCgaJpZM4UriUY> .
This is becoming a trend: https://blog.sucuri.net/2018/06/sucuri-enhances-security-by-disabling-tls-version-1-0-and-1-1.html
Many folks are using only the PFS cipher suites exclusively on their web server settings. Those contain the strongest ciphers and form TLS v1.2 and soon TLS v1.3. Nearly all web browsers now can work just fine with TLS v1.2 PFS cipher suites and you are using the strongest connective end to end encryption possible using openssl libraries. My suggestion to kick upstream is gut everything but PFS (Perfect Forward Secrecy) ciphers as those are the strongest available and publicly supported.
Perfect Forward Secrecy is obtained by using Ephemeral Diffie-Helman keys (DHE or EDH). So to get the cipher suits in that list that support PFS you could do:
$ openssl ciphers -v aECDSA:aECDH:kEDH:kRSA | grep DHE
This will include ciphers based on ECDHE (Elliptic Curve) as well as DHE (RSA). An advantage of ECDHE is that it is a lot faster than DHE. However in the list generated by that command there are still quite a few weak ciphers that use weak or no crypto: DES, RC4, SSLv3, NULL.
All of those happened to have SSLv3 in common, so by excluding SSLv3 you get a list of 12 solid ciphers:
$ openssl ciphers -v aECDSA:aECDH:kEDH:kRSA | grep DHE | grep -v SSLv3
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
could we disable TLSv1.1 and v1.0 and all CBC-ciphers in the next stable release (it‘s a great image, but this is for me the most annoying point, that I have to break the update mechanism of snap and edit the ssl.conf for every stable release manuelly).
example configuration pull request #937
(Sorry for trying to merge the pull request, it‘s the first time i‘m using Github).