[guardian-dev] https connection to guardianproject's blog
Matej Kovacic
matej.kovacic at owca.info
Fri Jan 31 08:42:16 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
> https://guardianproject.info/blog results in "Error establishing a
> database connection"
BTW, there is a SSL test:
https://www.ssllabs.com/ssltest/analyze.html?d=guardianproject.info
My recommendation is to enable TLS 1.1 and TLS 1.2 and disable SSL 3,
enable Perferct Forward Secrecy (in Apache you can use parameter
SSLDHParametersFile, but only from Apache 2.4.2
/etc/apache2/ssl/dhparam_4096.pem.
I would also recommend to enable Strict Transport Security (add this
into Apache config: Header add Strict-Transport-Security
"max-age=31536000").
There are also some certification paths issues, it seems you need to
add intermediate certificate to your Apache config. I would also
recommend to update OpenSSL (Lucy 13 attack is mitigated since 1.0.1
version).
It seems you have SSLHonorCipherOrder On, but to mitigate BEAST and
some other attacka I would recommend to add this parameter in your
Apache config:
SSLCipherSuite
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
Regards,
Matej
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLrqCsACgkQT1/aw0fBttIyWQCePeyQ1cma+LqsfgDQLeBBSIXQ
R2YAoP5E08TwsGByvoFyrdh8HCiV37Qn
=+w6t
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list