All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Cipherli.st got a big update, your help needed!
As you might know I've created some SSL related websites, Cipherli.st is one of them. It has a copy-pastable secure configuration for the three major webservers (apache, nginx and Lighttpd) which provide a strong and secure SSL connection, including ciphersuite, key size, headers and such.
I've gotten many requests to also add config for other software besides the three webservers. I've finally made the jump and added config for the following software:
- haproxy
- MySQL
- DirectAdmin
- Exim
- Dovecot
- Proftpd
- Postfix
I need your help however. I've tested all configuration of course, but I want you guys/gals to also test it. Just to make sure.
And I want pull requests for other software which can have SSL settings configured.
If you know of any or can test some configuration, that would be very nice.
Comments
Love it.
I've test this on nginx, very strong A+. Good work!
But for some legacy / specific browser I'm still using https://mozilla.github.io/server-side-tls/ssl-config-generator/
@Raymii I love your tutorials and from time to time I lurk at your site to refresh myself. Thanks for the awesome work.
Thanks
Raymii,
I am so deeply disappointed that your sites are not SPDY enabled. The 500ms it took to load your site felt like an eternity.
Don't care about SPDY (it's not in Lighttpd yet, is it?), but others to whom I gave the link today have pointed out that the website is not even on IPv6. Guess can't be "state of the art" on all fronts at the same time?
SSL is slow, SPDY is the solution to make it faster on browser, almost major browser support SPDY now.
Strong Ciphers also not good for seo, imagine google still use ssl3 because they afraid to loose traffic to make it works on all browser even old one.
example https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.239.96
When it's enabled by default in NGINX I'll enable it.
Raymii.org is IPv6 enabled, Cipherli.st not (yet), it is on DO in a DC without IPv6. Will look into that, maybe I can migrate it.
That comment makes no sense. SPDY has underlying SSL encryption. Furthermore, SEO is also bullshit, just as your comment.
Also, if a website is available via HTTP and HTTPS, it doesn't matter since you can do a MITM downgrade attack to force http...
Google try to minimise server CPU needed to have https. They don't care if it's strong or not - they want it to look good, and be as cheap as possible / with as little CPU overhead as possible as they handle billions of requests each day, and their goal is to make cash, not to be a privacy paradise...
its not bullshit comment, thats reality case, strongest ciphers not gonna compatible for some old browser for sure, people cant open the site, even low volume visitor still traffic!
in the end, its all webmaster decision to pick the best solution ;p
Yes, and it depends the level of 'security' you need.
An OK approach would be to use a strong cipher if possible, and if not switch to a less-good one, isn't it?..
https://calomel.org/nginx.html 's config is an interesting read
they choose to use:
Explaining it that way:
ya thats the reason, since there is no universal ssl settings or ciphers, all depends.
Cipherli.st provide the strong one, i can vouch that its great, but for custom solution better use https://mozilla.github.io/server-side-tls/ssl-config-generator/
it will shows which software version you use, tweek and aditional option...
way too cool dude!
I stopped reading there.
Your comment reminds me of a LibreSSL commit where one of the devs had a nice thing to say about OpenSSL:
>
>
Pick one of the following: compatibility with shitty old software, security.
Thanks for the update, Raymii!
i just want to say i love cipherli.st its so usful