New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I find that using @raymii config works out of box on my Debian 8 servers. But not working on my Ubuntu 12:04
@jsg, since you seem well versed in this. I have a question if u don't mind
Will using cloudflare and having a redirect rule (all http to https) be enough? For example, I don't have any SSL setup with nginx for my forum, and will just use cloudflare's stuff.
Bit confused on your "to not accept SSL and to only use a reasonable set of algorithms" part. What algorithms do you mean exactly? Or am I overthinking this
Maybe a misunderstanding, but from what I see you use that stuff on your desktop to create a config for the server.
Regarding the tools suggested by @seanho and @Raymii, particularly the Mozilla page I think that's a good starting point for many. There are however still a lot of caveats and things one should think about. SHA-2 256 is an example and so are certain Nist propagated curves which you do not need for most sites unless you are doing business with a certain clientele.
I am using on my websites. some vps I have are using 12.04 because I bought many years ago. But more recent website uses Debian 8. I have less pain in Debian 8
Re. %$"§Flare I guess your approach is right (I can only guess because I never used them nor will I ever).
Re. your other question: Keep in mind that TLS is but renamed new SSL versions. So saying that one should not accept SSL is just another way of saying that one should not use OLD SSL/TLS versions but at the very minimum TLS 1.1. Somewhat similarly one should use and accept only relatively modern crypto algorithms; a good (and a bit exaggerated for clarity) example is to avoid MD5 hashes and to use use SSH-2 384+ or SHA-3.
A bit extra explanation as still many seem not to know that: SSL/TLS has diverse crypto algorithms available on both the server and the client side. Which ones are actually used is negotiated between the two at the beginning. Each side can exclude certain algorithms, maybe because they are considered too old and/or weak or maybe because they are considered too expensive (in terms of computing); A major server for example with non-critical content (say a big cooking community) but tens of thousands of connected clients in the evening will probably not want to waste valuable resources on high-grade key exchange and encryption and such make the server considerably slower.
Basically it works like this: both the server and the client "offer" a set of crypto algos and SSL/TLS versions, they are ready and willing to use. And then they use some that they both have in common.
As your site goes through %$"§Flare that seems to not concern you and it might be assumed that they have reasonable selections and parameters in place. Maybe (Again: I do not KNOW that and can only speculate. Check with them!) %$"§Flare even offers an interface for customers to have some power over e.g. min. TLS version.
Maybe time to upgrade 12.04 to 14.04? (12.04 is EOL.)
true, but seems risky. maybe just transfer my site to a new vps running debian
You should listen to @angstroem. Keep in mind that it's virtually always the -implementation- and not the algorithm that's vulnerable and get's broken.
Translation: You should definitely absolutely use an OS that (still) has updates and patches available!
Plus you have the advantage anyway that Ubuntu and Debian are similar enough that the transfer to a new (current Debian) VPS should be relatively painless. So DO IT!
Wow, great news from Google. Many SSL providers will be happy.