http://localhost:8080/trac/ticket/409 <p> There are some issues that are highlighted here: </p> <blockquote class="citation"> <p> Overall Rating: F Zero </p> <p> Chain issues Incorrect order </p> <p> This server is vulnerable to the BEAST attack (more info <a class="ext-link" href="https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls"><span class="icon">​</span>https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls</a> ) </p> </blockquote> <p> <a class="ext-link" href="https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org"><span class="icon">​</span>https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org</a> </p> <p> That should be fixed on both servers and the documentation should be updated to match: </p> <ul><li><a class="ext-link" href="https://tech.transitionnetwork.org/trac/wiki/NewLiveServer#HTTPS"><span class="icon">​</span>https://tech.transitionnetwork.org/trac/wiki/NewLiveServer#HTTPS</a> </li><li><a class="ext-link" href="https://tech.transitionnetwork.org/trac/wiki/SecurityInfo"><span class="icon">​</span>https://tech.transitionnetwork.org/trac/wiki/SecurityInfo</a> </li><li><a class="ext-link" href="https://wiki.transitionnetwork.org/Security"><span class="icon">​</span>https://wiki.transitionnetwork.org/Security</a> </li></ul> en-us /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/409 Trac 0.12.5 chris Mon, 30 Apr 2012 13:16:32 GMT http://localhost:8080/trac/ticket/409#comment:1 http://localhost:8080/trac/ticket/409#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>1.0</em> </li> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>1.0</em> </li> </ul> <p> On quince this apache config: </p> <pre class="wiki">SSLCipherSuite HIGH </pre><p> Was changed to the following for all virtual servers: </p> <pre class="wiki">SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH:!SSLv2:!aNULL </pre><p> And the gandi intermediate cert was recreated: </p> <pre class="wiki">wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem cat GandiStandardSSLCA.pem &gt; gandi.pem cat UTNAddTrustServer_CA.pem &gt;&gt; gandi.pem cat AddTrustExternalCARoot.pem &gt;&gt; gandi.pem </pre><p> And the docs updated, <a class="wiki" href="http://localhost:8080/trac/wiki/NewLiveServer#HTTPS">wiki:NewLiveServer#HTTPS</a> </p> <p> For kiwi, this nginx configuration: </p> <pre class="wiki">ssl_protocols SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; </pre><p> Was updated to: </p> <pre class="wiki">ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers RC4-SHA:HIGH:!ADH:!SSLv2:!aNULL; ssl_prefer_server_ciphers on; </pre><p> The nginx chained cert was recreated: </p> <pre class="wiki">cd /etc/ssl/transitionnetwork.org wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem cat transitionnetwork.org.crt &gt; transitionnetwork.org.chained.pem cat GandiStandardSSLCA.pem &gt;&gt; transitionnetwork.org.chained.pem cat UTNAddTrustServer_CA.pem &gt;&gt; transitionnetwork.org.chained.pem cat AddTrustExternalCARoot.pem &gt;&gt; transitionnetwork.org.chained.pem </pre><p> And now kiwi also scores a A: <a class="ext-link" href="https://www.ssllabs.com/ssltest/analyze.html?d=kiwi%2etransitionnetwork%2eorg&amp;s=81%2e95%2e52%2e78"><span class="icon">​</span>https://www.ssllabs.com/ssltest/analyze.html?d=kiwi%2etransitionnetwork%2eorg&amp;s=81%2e95%2e52%2e78</a> </p> <p> And the notes here have been updated <a class="wiki" href="http://localhost:8080/trac/wiki/SecurityInfo">wiki:SecurityInfo</a> </p> Ticket