gnupg website

Glenn Rempe glenn at rempe.us
Thu Jan 26 19:48:28 CET 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Werner, you (or anyone setting up a web server themselves really)
might also find this config generator from Mozilla helpful as a
shortcut in creating what is considered a modern web server config for
TLS.

https://mozilla.github.io/server-side-tls/ssl-config-generator/

https://wiki.mozilla.org/Security/Server_Side_TLS

This config may not apply to gnupg.org directly since its not clear
what web server you are running. In any case it will tell you which
suites you are recommended to support for modern(ish) browsers.

I would also note that there is room for improvement regarding the
security headers the gnupg.org sends with its content.

https://securityheaders.io/?q=gnupg.org&followRedirects=on

You are using HSTS, which is generally very good, but in this case it
forcibly breaks users experience since it requires me to connect with
TLS but that is not possible since you are not advertising a TLS suite
that shares common ground with my browser (or millions of other
potential visitors).

Cheers.

On 1/26/17 3:49 AM, Andrew Gallagher wrote:
> On 26/01/17 00:16, Andrew Gallagher wrote:
>> 
>> gnupg.org *does* keep 3DES at the end of the supported suites,
>> so surely it should not be affected. I'm tempted to write this
>> off as a mistake by ssllabs.
> 
> I've spoken to ssllabs and it appears that this was an ambiguity
> in the wording of their blog post. That means the downgrade to C
> next month is legit - not because 3DES is present, but because 3DES
> is present *and* GCM is absent.
> 
> What both this and Glenn's Apple issue have in common is the lack 
> of ECDHE+GCM suites in the cipher list. I generally use the 
> following config in Apache:
> 
> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA +3DES 3DES \ !aNULL 
> !eNULL !LOW !EXP !MD5 !KRB5 !PSK !SRP !DSS !SEED !RC4"
> 
> This uses all HIGH suites in a sensible order but still falls back 
> to 3DES for XP compatibility. When retiring 3DES this simplifies 
> to:
> 
> SSLCipherSuite \ "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
> EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
> EECDH+aRSA+SHA256 \ EECDH EDH+AESGCM EDH+aRSA !MEDIUM !LOW !aNULL 
> !eNULL !PSK"
> 
> Andrew.
> 
> 
> 
> _______________________________________________ Gnupg-users
> mailing list Gnupg-users at gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHYo11lajUTmaOI4vCiVDbdRDnGwFAliKRHYACgkQCiVDbdRD
nGz5xg/7BITjIZlPTQ3dmTmbFx5/griGFF0gRD7oDelH7Diytqc2moQLJU0DfynZ
JBDlOkLIidzhSYQMR6ce/wzq/McV/fEuHhKsDTxDtSgU0tGe02xwg4MXCopP3OB9
6iO0zw8VwysDz+H4TDvx+/8CqwUeOBk+oRDZybZgH3xgBDVc8YsuWSCQVZJZdDEG
JEnolJeWz+fS28FFkqN+hEcmqOT0Cxo1fRXClM1hOBRCl4BxPrE5WeFYag3YT6/a
Y33GXA6+v+5lcC2il5vQY4Y1Obdn3kYK9E/aRs2gRSmEVX7rQ8lbuPRpz3WVLqFp
sUZ3BEvdXSjWPAG65xKopsaD+PnKpkzIKTcjQLy+3dx08A8l5V4wDSpjd9M86I7c
h32vByUjYq/l5rVztP8ZOkW3tq6ParyVw22VyjJGcj0LlyBnAbgcrCbw2ZsVFFnr
72Q8lfMrK8B+2YHyVz68CM54K29OAsm459OdzCcN8MXUSp33ck2TYoJxhsT+qWR6
1N2y1kb+Noq6ewYktUCwUHwwLLIoOCa3UiF1lMTpziq/rNjz0sIcvpg1ml7GymO7
8/lqxX5OyEMVACXbVQkNtwhVMagih1CWPgwZHCZWiVk/2BS85sYou0kvsxZByW44
0vRWRAbgcMWPw7viD7gVY8SksmqGblJfogKTqD382Wjp/gk1FvM=
=P0Vg
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list