Currently Viewing Posts Tagged SSL

Firefox always show Performing TLS Handshake

During last two weeks, my firefox getting slower and slower. It is Windows 10, with Firefox 67 or early version.

When I enter an HTTPS web site URL into the address bar, it took a lot of time to load the page. Sometimes it is timeout error.

Down in the lower-left corner of the Firefox window, there is a small grey box that tells you what is doing or waiting.

The problem is getting worse. More web sites I was OK to open, now are time out error.

The message on the status bar is “Performing a TLS handshake”.

What’s going on.

Based on my knowledge, TLS handshake is very fast, normally less 1 second. Continue reading “Firefox always show Performing TLS Handshake”

SSL Certificate Checker

After installing the SSL certificate on the Nginx web server, you need to check if it is installed correctly.

I installed the SSL certificate two months ago. The Sectigo ECC certificate.

Now I change the certificate files.

Previously, I put the site SSL certificate file content and the SSL-bundle file altogether. The final SSL certificate file is 4.36KB. It includes three certificates. The guide is from Comodo official site. Sectigo site has a similar guide here.

Now, I remove the last one. Just keep the site certificate and the middle one. Total size is  3.01KB.

The certificate I deleted from the old file is for USERTrust ECC Certification Authority. It is already included in the Trusted Root CA list.

Then, I tested the new certificate file, which has two certificates only, on different online SSL checking tools.

 

Geocerts SSL checking Result

Continue reading “SSL Certificate Checker”

Renew the SSL Certificate for Yinfor.com

I just renewed the SSL certificate. The cheapest DV SSL certificate I found is from GoGetSSL.com.

I paid by paypal. The price is so good. US$7.90 for two years. Comodo PositiveSSL.

After I installed the certificate on my blog. I check the certificate by clicking on the lock icon on the address bar. It is not shown as Comodo, but Sectigo.

Look at the old certificate.

Details of certificates

Continue reading “Renew the SSL Certificate for Yinfor.com”

How to get a perfect SSL Labs score

It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.

Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.

Let me break down.

Certificate

It is preaty easy to get 100% here.

  • Make sure your certificate and intermediate certificate and CA are in the correct order.
  • Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
  • Use a trusted CA. Do not use WoSign, StartCom.

Protocol Support

  • SSL 2.0 0%
  • SSL 3.0 80%
  • TLS 1.0 90%
  • TLS 1.1 95%
  • TLS 1.2 100%

So it is best to just use TLS 1.2.

 

Key Exchange

Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.

openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096

It is not enough. Add following into Nginx settings.

ssl_ecdh_curve secp384r1;

Cipher Strength

  • 0 bits (no encryption) 0%
  • < 128 bits (e.g., 40, 56) 20%
  • < 256 bits (e.g., 128, 168) 80%
  • >= 256 bits (e.g., 256) 100%

So I just use 256 bit cipher suites.

 

Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.

Here is the most important part of Nginx config file. I put them all together.

ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain;
ssl_certificate_key /etc/nginx/ssl/whovpn.com/key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

 

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain;

resolver 8.8.8.8;

5 Free SSL Tools You Must Try in 2016

It is 2016, your website must be SSL encrypted. Now, you have questions, how about my server and how about my SSL installation? This is the answer to this question. You must try these five free tools to test, check, analyse your https website.

No.1 SSLShopper

It is an SSL checker. Enter server hostname and click check SSL button. It will give you the brief results, including server type, certificate CA, expiration day, etc.

sslshopper

LINK:  https://www.sslshopper.com/ssl-checker.html

No.2 Symantec CryptoReport

It is a powerful tool with good design. The result is more and it is the only one can tell you how many certificates installed. Look at below, the report said, I have RSA and ECC certificates installed.  The report

The report has following information:

  • Certificate is installed correctly.
  • Certificate chain installation part.
  • Server configuration:(Server type, IP, Port, Protocols, Cipher suites, etc.)

symantecLINK: https://cryptoreport.websecurity.symantec.com/checker/

Continue reading “5 Free SSL Tools You Must Try in 2016”

Add my Blog to HSTS preload list

Now my Blog, David Yin Blog is https encrypted . And it is also HSTS enabled. And latest, it is HSTS preload enabled.

It has three layers meaning.

  1. https support.
  2. HSTS enabled.
  3. HSTS preload enabled.

Let me explain them one by one.

First, add https support. I did this step on Feb. 2016, when I announced that SSL added. I recorded how I get the SSL certificate and install it on Nginx web server.

After that, all content send back and force from my Blog to an audience is encrypted. Even ISP can not read the content from the data traffic.

comodo-positive ssl-certificate

Second, I add the HSTS into the Nginx configuration, to make it more secure.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797

Continue reading “Add my Blog to HSTS preload list”

How to make the SSL site 100 in all four fields of SSLLAB Server Test

Now, a lot of web site are going to add SSL for security purpose.

Just like my site here, the SSL Report is as below.

ssl-report-yinfor

It is A+. The score is great. When I look at it close. There are four parts. Three of them are not 100%.

Can I make it all 100?

I use one test site to do my research and try to make it 100.

OK. Let me show you why and how to do it.

Continue reading “How to make the SSL site 100 in all four fields of SSLLAB Server Test”

SSL added

To provide higher security and better privacy protection, I added SSL certificate on my Blog, here.

When you enter the url of my blog: http:///www.yinfor.com/, it will redirect you to the SSL version, https://www.yinfor.com/

The certificate is purchased from gogetssl.com , three years certificate of Comodo PositiveSSL.

The latest price is $13.15/3years.

comodo_secure_100x85_white

Look at the comodo secure lock, it is a site seal.

Continue reading “SSL added”

City of Burnaby Web Site SSL issue was fixed

When I wrote my last post about the SSL issue of Burnaby City Website, I made a tweet and @cityofburnaby. They replied me on second day.

The official account of CityofBurnaby said the information has been forwarded to their IT team for review.

burnaby city site SSL issue

I thought my job is done. As a residence of Burnaby, I just have duty to help our city be noticed the issue.

Two days after that, @cityofburnaby send me another notice and said their IT team has applied the needed fix. The error is now resolved for Chrome browser on cell phones.

cityofburnaby SSL issue fixed

Continue reading “City of Burnaby Web Site SSL issue was fixed”

Web site of Burnaby City has SSL error

It is an error. When I enter the url of Burnaby City hall at Chrome browser on my cellphone, it displayed with error.

Red crossing line on the https. It said Your connection is not private. Attackers might be trying to steal your information from www.burnaby.ca.

NET::ERR_CERT_AUTHORITY_INVALID

2015-12-21 16.18.52

It is OK when I browse the site on desktop. It looks normal.

I use SSLLABS server tool to check the certificate installation.

The report said it has a certificate chain issues: missing intermediate certificate. Continue reading “Web site of Burnaby City has SSL error”

  • Archives