Currently Viewing Posts Tagged tls

Firefox always show Performing TLS Handshake

During last two weeks, my firefox getting slower and slower. It is Windows 10, with Firefox 67 or early version.

When I enter an HTTPS web site URL into the address bar, it took a lot of time to load the page. Sometimes it is timeout error.

Down in the lower-left corner of the Firefox window, there is a small grey box that tells you what is doing or waiting.

The problem is getting worse. More web sites I was OK to open, now are time out error.

The message on the status bar is “Performing a TLS handshake”.

What’s going on.

Based on my knowledge, TLS handshake is very fast, normally less 1 second. Continue reading “Firefox always show Performing TLS Handshake”

How to get a perfect SSL Labs score

It is easy to get an A+ on your website. But it is a little bit hard to make a 4 parts, Certificate, Protocol Support, Key Exchange, and Cipher Strength, to be 100%.

Most of time, I got A+ rating of my site. For individual scores, the last two are 90%.

Let me break down.

Certificate

It is preaty easy to get 100% here.

  • Make sure your certificate and intermediate certificate and CA are in the correct order.
  • Don’t use SHA1 for the signature algorithm. Use SHA256 instead. Actually all main CA are using SHA256 now.
  • Use a trusted CA. Do not use WoSign, StartCom.

Protocol Support

  • SSL 2.0 0%
  • SSL 3.0 80%
  • TLS 1.0 90%
  • TLS 1.1 95%
  • TLS 1.2 100%

So it is best to just use TLS 1.2.

 

Key Exchange

Make a strong DHE (Ephemeral Diffie-Hellman) paramaaters.

openssldhparam -out /etc/nginx/ssl/dhparam.pem 4096

It is not enough. Add following into Nginx settings.

ssl_ecdh_curve secp384r1;

Cipher Strength

  • 0 bits (no encryption) 0%
  • < 128 bits (e.g., 40, 56) 20%
  • < 256 bits (e.g., 128, 168) 80%
  • >= 256 bits (e.g., 256) 100%

So I just use 256 bit cipher suites.

 

Here is a test site, I tried it today, 2018-08-11. It is A+ with four 100% scores.

Here is the most important part of Nginx config file. I put them all together.

ssl_certificate /etc/nginx/ssl/whovpn.com/fullchain;
ssl_certificate_key /etc/nginx/ssl/whovpn.com/key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384';
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

 

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/whovpn.com/fullchain;

resolver 8.8.8.8;

Server Name Indication (SNI)

Server Name Indication is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

The most import reason to have this extension is to allow a server to present multiple SSL web site, or multiple certificates on the same IP address and TCP port number. So one IP address can serve more than one HTTPS web sites.

This extension insert the host name in the very first request sending from client Hello header. The standard TLS will send host name after handshaking.

TLS handshake using SNI

Continue reading “Server Name Indication (SNI)”

Disable SSLv2 and SSLv3 in Apache

As we always disable SSLv2 in Apache. Now it is SSLv3 turn. The recent news about the SSL 3 vulnerability is so important that I have to disable it as well.

So just modify the ssl.conf of Apache

[ssh]SSLProtocol All -SSLv2 -SSLv3[/ssh]

The web site still has TLS 1.0, TLS 1.1 and TLS 1.2. For most of the browser working on the users computer, TLS is good enough. The only exception is IE 6.0 on Windows XP.

I am not worrying about it. Just forget the users who are still using IE 6.

ie6-disable

Refer to Security Labs article.

 

  • Archives