[guardian-dev] https connection to guardianproject's blog

Hans-Christoph Steiner hans at guardianproject.info
Fri Jan 31 10:39:55 EST 2014



On 01/31/2014 08:42 AM, Matej Kovacic wrote:
> Hi,
> 
>> https://guardianproject.info/blog results in "Error establishing a 
>> database connection"

Yup, its down, and the person with admin access is traveling in a far away land...


> BTW, there is a SSL test:
> https://www.ssllabs.com/ssltest/analyze.html?d=guardianproject.info
> 
> My recommendation is to enable TLS 1.1 and TLS 1.2 and disable SSL 3,
> enable Perferct Forward Secrecy (in Apache you can use parameter
> SSLDHParametersFile, but only from Apache 2.4.2
> /etc/apache2/ssl/dhparam_4096.pem.
> 
> I would also recommend to enable Strict Transport Security (add this
> into Apache config: Header add Strict-Transport-Security
> "max-age=31536000").
> 
> There are also some certification paths issues,  it seems you need to
> add intermediate certificate to your Apache config. I would also
> recommend to update OpenSSL (Lucy 13 attack is mitigated since 1.0.1
> version).
> 
> It seems you have SSLHonorCipherOrder On, but to mitigate BEAST and
> some other attacka I would recommend to add this parameter in your
> Apache config:
> 
> SSLCipherSuite
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

These are all things we want to do, but we don't have control over that part.
 Its an old school web hosting package from our friends at mayfirst.org.  So
we're asking them if this stuff can be improved.

.hc

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140131/d0b0b997/attachment.pgp>


More information about the Guardian-dev mailing list