[sword-devel] Qualys SSL Labs server test rating was: Re: Firefox 44.0.2 and self-signed certs

DM Smith dmsmith at crosswire.org
Sat Feb 20 09:59:31 MST 2016 

Jaak,

Take a look now.

I’ve upgraded the HTTP server to avoid SSLv3 and RC4. Had to explicitly add TLS 1.0. And specifically added support for TLS 1.1 and 1.2. That means we have limited support for Windows XP users. If we have problems I may need to add SSLv3 and RC4 back in as a fall back for them.

The only thing keeping us from A+ is HSTS.

DM

> On Feb 15, 2016, at 4:14 PM, DM Smith <dmsmith at crosswire.org> wrote:
> 
> I tried to fix this the other day, and will shortly. But the server locked up twice in that day. So I’ve backed out my changes (a one-liner for this issue) and am doing them one at a time. I hope to have that solved within a week.
> 
> In Him,
> 	DM
> 
>> On Feb 15, 2016, at 3:44 PM, Jaak Ristioja <jaak at ristioja.ee <mailto:jaak at ristioja.ee>> wrote:
>> 
>> The Qualys SSL Labs SSL Server test gives crosswire.org <http://crosswire.org/> a C rating
>> mainly due to supporting SSLv3 and the RC4 cipher.
>> 
>> https://www.ssllabs.com/ssltest/analyze.html?d=crosswire.org&hideResults=on <https://www.ssllabs.com/ssltest/analyze.html?d=crosswire.org&hideResults=on>
>> 
>> Blessings,
>> Jaak
>> 
>> On 15.02.2016 20:11, DM Smith wrote:
>>> Went with LetsEncrypt. It should be proper for the entire crosswire.org <http://crosswire.org/>
>>> <http://crosswire.org <http://crosswire.org/>> web. If you see a problem or have a question, let
>>> me know.
>>> 
>>> In Him,
>>> DM Smith
>>> 
>>>> On Feb 12, 2016, at 5:30 PM, Matěj Cepl <mcepl at cepl.eu <mailto:mcepl at cepl.eu>
>>>> <mailto:mcepl at cepl.eu <mailto:mcepl at cepl.eu>>> wrote:
>>>> 
>>>> On 2016-02-12, 19:28 GMT, David Haslam wrote:
>>>>> Even so, this is the way browsers are moving!
>>>>> 
>>>>> The sooner we can move away from self signed the better.
>>>> 
>>>> Certainly, I see two ways out:
>>>> 
>>>>   * https://letsencrypt.org/ <https://letsencrypt.org/> … I have never tried it, so
>>>>     I am not sure how really difficult it is, but it is
>>>>     supposed to be the free way how to get working and
>>>>     supported certificate for a website
>>>> 
>>>>   * I use personally certificate from
>>>>     https://www.startssl.com/ <https://www.startssl.com/> For me the price is US$60/two
>>>>     year certificate, not sure whether the company would be
>>>>     willing to give some discount for non-profit/religious
>>>>     organization, or we would be satisfied with the free
>>>>     certificate (one domain only, no wildcard).
>>>> 
>>>> Best,
>>>> 
>>>> Matěj
>>>> 
>>>> -- 
>>>> https://matej.ceplovi.cz/blog/ <https://matej.ceplovi.cz/blog/>, Jabber: mcepl at ceplovi.cz <mailto:mcepl at ceplovi.cz>
>>>> <mailto:mcepl at ceplovi.cz <mailto:mcepl at ceplovi.cz>>
>>>> GPG Finger: 89EF 4BC6 288A BF43 1BAB  25C3 E09F EF25 D964 84AC
>>>> 
>>>> [...] a superior pilot uses his superior judgment to avoid having to
>>>> exercise
>>>> his superior skill.
>>>> --
>>>> http://www.jwz.org/blog/2009/09/that-duct-tape-silliness/#comment-10653 <http://www.jwz.org/blog/2009/09/that-duct-tape-silliness/#comment-10653>
>>>> 
>>>> 
>>>> _______________________________________________
>>>> sword-devel mailing list: sword-devel at crosswire.org <mailto:sword-devel at crosswire.org>
>>>> <mailto:sword-devel at crosswire.org <mailto:sword-devel at crosswire.org>>
>>>> http://www.crosswire.org/mailman/listinfo/sword-devel <http://www.crosswire.org/mailman/listinfo/sword-devel>
>>>> Instructions to unsubscribe/change your settings at above page
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> sword-devel mailing list: sword-devel at crosswire.org <mailto:sword-devel at crosswire.org>
>>> http://www.crosswire.org/mailman/listinfo/sword-devel <http://www.crosswire.org/mailman/listinfo/sword-devel>
>>> Instructions to unsubscribe/change your settings at above page
>>> 
>> 
>> 
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org <mailto:sword-devel at crosswire.org>
>> http://www.crosswire.org/mailman/listinfo/sword-devel <http://www.crosswire.org/mailman/listinfo/sword-devel>
>> Instructions to unsubscribe/change your settings at above page
> 
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20160220/28b6860d/attachment-0001.html>

More information about the sword-devel mailing list