During last two weeks, my firefox getting slower and slower. It is Windows 10, with Firefox 67 or early version.
When I enter an HTTPS web site URL into the address bar, it took a lot of time to load the page. Sometimes it is timeout error.
Down in the lower-left corner of the Firefox window, there is a small grey box that tells you what is doing or waiting.
The problem is getting worse. More web sites I was OK to open, now are time out error.
The message on the status bar is “Performing a TLS handshake”.
What’s going on.
Based on my knowledge, TLS handshake is very fast, normally less 1 second. Continue reading “Firefox always show Performing TLS Handshake”
It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.
Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.
Let me break down.
It is preaty easy to get 100% here.
- Make sure your certificate and intermediate certificate and CA are in the correct order.
- Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
- Use a trusted CA. Do not use WoSign, StartCom.
- SSL 2.0 0%
- SSL 3.0 80%
- TLS 1.0 90%
- TLS 1.1 95%
- TLS 1.2 100%
So it is best to just use TLS 1.2.
Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.
openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096
It is not enough. Add following into Nginx settings.
- 0 bits (no encryption) 0%
- < 128 bits (e.g., 40, 56) 20%
- < 256 bits (e.g., 128, 168) 80%
- >= 256 bits (e.g., 256) 100%
So I just use 256 bit cipher suites.
Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.
Here is the most important part of Nginx config file. I put them all together.
# modern configuration. tweak to your needs.
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
## verify chain of trust of OCSP response using Root CA and Intermediate certs
Server Name Indication is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
The most import reason to have this extension is to allow a server to present multiple SSL web site, or multiple certificates on the same IP address and TCP port number. So one IP address can serve more than one HTTPS web sites.
This extension insert the host name in the very first request sending from client Hello header. The standard TLS will send host name after handshaking.
Continue reading “Server Name Indication (SNI)”
As we always disable SSLv2 in Apache. Now it is SSLv3 turn. The recent news about the SSL 3 vulnerability is so important that I have to disable it as well.
So just modify the ssl.conf of Apache
[ssh]SSLProtocol All -SSLv2 -SSLv3[/ssh]
The web site still has TLS 1.0, TLS 1.1 and TLS 1.2. For most of the browser working on the users computer, TLS is good enough. The only exception is IE 6.0 on Windows XP.
I am not worrying about it. Just forget the users who are still using IE 6.
Refer to Security Labs article.