Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
We have implemented TLS 1.2 on SERVER 2019, how can we know the best chiper suite used for IIS 10.
Please, someone, give me Priority Order would be great for me.
There is generally no "best" or "most secure" cipher suite you can use in all cases. Generally, when chosing a ciphersuite you want to support, you follow some principles to come up with a suitable cipher suite for your use case. Some of those are:
Chose ciphers which are supported by both your server and your intended clients
Eliminate insecure ciphers (e.g. cryptographically broken ones or ciphers with too small key sizes)
Performance considerations (ECDSA is faster than RSA but not supported everywhere, longer key sizes are (significantly) slower than smaller keysizes but are more secure, ...)
forward secrecy
...
If you don't want to deal with the propertyies of all the affected ciphers, there is a config generator maintained by Mozilla which can generate secure configurations for a variety of webservers for one of three security profiles at
https://ssl-config.mozilla.org/
You still need to decide based on the clients you intend to support and their supported ciphers which security profile is suitable.
An updated description of the available profiles along with some reasoning for the chosen options is available at https://wiki.mozilla.org/Security/Server_Side_TLS
To check your server and top get an overview about which browsers are able to connect to it, you could use the Qualys SSL Server Test at https://www.ssllabs.com/ssltest/
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 12 months ago.
Improve this question
I have to set a multiple domains under a single cPanel because the they both need to point to the same document root.
I have successfully added the secondary domain under Domains, and I was able able to upload another SSL certificate for this domain.
However, looks like I am only be able to install one SSL certificate at a time, when I tried to install the secondary SSL, the first one automatically stopped working.
How I can configure cPanel to have both SSLs working? or in this case, do I have to use a single SSL that supports multiple domains?
Thanks
If you add each domain as "Addon" under your cPanel, your hosting provider's free SSL- either, Let's Encrypt or cPanel's SSLs should be able to cover EACH addon domain with a different SSL Certificate and they should not interfere with each other.
If you still experience issues with that, I would recommend reaching your hosting provider to check that further for you and let you know how this can be achieved in their environment.
If they lack support, then I would recommend checking out for a managed hosting provider which will take care of this configuration for you.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 5 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I am a user of Telit GE910-QUAD V3 modem (2G). The below table explains the Telit cellular modems and the TLS protocols they support.
Product SSLV3 TLSV1.0 TLSV1.1 TLSV1.2
(2G) N/A YES N/A N/A
(3G) YES YES YES N/A
(4G) YES YES YES YES
After seeing this, I doubt whether cellular technology (2G/3G/4G) plays any role in choosing the TLS version. Just for example, with 2G where data bandwidth and latency are poor, it might not be possible to use higher TLS versions.
Is there any reason why Telit 2G modems don't support higher TLS versions?
There is no reason that TLS 1.2 can not be run over 2G networks if TLS 1.0 can because these protocols are almost the same. My guess is that the 2G, 3G and 4G modems where simply created at different times and only the newer products support the newer TLS versions simply because these versions were not yet released or not seen as important at the time the software for the older modems was created.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I bought a ssl certificate generated with SHA-2 algorithm.
It was successfully installed in apache2 server. I also test it with online tool like https://www.sslshopper.com and the result is completely ok, however in firefox console I got something like this
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
I also double checked with Chrome and other browser. It seems ok.
is there any gotchas related to my certificate ?
please help and thanks in advance.
Your certificate is fine. The warnings logged in the Firefox console are due to resources served from other domains (speficially, s-static.ak.facebook.com, connect.facebook.comand avocado-app.s3.amazonaws.com) that use SHA-1 certificates.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
We are looking into supporting TLS-PSK for a set of constrained devices that do not have sufficient resources to do the normal TLS handshake using certificates. To that end we are looking for a TLS-PSK component, that we can integrate on our (cloud) servers. This component may be anything, a proxy, module for apache or anything else that scales well.
So far we have found several libraries that support TLS-PSK: GnuTLS, OpenSSL amongst others. Moreover, we can find several HTTPS/TLS client libraries that we can use to send HTTP(S) requests over a TLS-PSK connection. However, what we have not been able to find are server-side solutions that would accept such TLS-PSK connections. Apache modules mod_ssl, and mod_gnutls do not expose the TLS-PSK capabilities of the underlying libraries. F5 Big-IP has TLS-PSK not in its cipher lists. HAProxy does not have TLS-PSK interfaces as well. The node.js TLS library had a pull-request that became stale and hard to apply with all the recent TLS lib refactorings...
So in short: does anyone know of a TLS-PSK capable component that we can integrate in our server backends to accept TLS-PSK connections from a large set of clients?
stunnel might be capable of helping here. PSK was added in 5.09
Installation
/etc/stunnel/stunnel.conf:
[PSK server]
accept = 443
connect = 80
ciphers = PSK
PSKsecrets = /path/to/psk.txt
debug = 7
psk.txt (chmod 600):
client1:oaP4EishaeSaishei6rio6xeeph3az
Run with stunnel, or set up a service
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I'm about to get an SSL Certificate for my website. In particular, it will be used because I'm switching over to a payment processor which requires it. A few "noob" questions:
1) Will I have to change any code that directs users to http://www.mysite.com to https://www.mysite.com, or will users who go to http://www.mysite.com be automatically re-directed to https://www.mysite.com?
2) I assume that https "slows" things down on a site? If this is the case, can I maintain the http everywhere on my site except when they make a payment to the processor? i.e. http://www.mysite.com/any_old_page.php, while https://www.mysite.com/pay_for_the_stuff.php
Thanks!
No, that won't happen automatically. You will have to change your server configuration to do that.
Yes, it slows things down. How much depends on the cipher suite used for the server, the server software and hardware. You should play around with different TLS cipher suites to see how much. It depends on that (and of the nature of your site) if you should only use TLS on part of your site or all of your site. As for the requirements of the payment processor: ASK!