[BlueOnyx:21851] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

Lew Berry LCBerry at LCBConsulting.net
Wed Mar 14 10:59:59 -05 2018 

Hi Michael,
Been a while since I've put my 2¢ in and this mostly for the benefit of Ken, Chris, and the other hosting guys.
In having to answer to the overlords at FINRA, NCUA, PCI, etc. I routinely harden Exchange servers using tools from our friends at Qualys and SSL Labs for private companies. When I decided to lock down the server I use to host Exchange for several smaller companies to get that A+ it broke every version of Outlook prior to 2013 including the Mac clients. I ended up having to enable AES_128 SHA256 in TLS 1.1 in order to make 2010 version work again and SHA 128 in TLS 1.0 to make 2007 work (but, even this will still get you an A). 
I know all of this doesn't translate into the world of BX but bottom line is that while hardening web servers you're still going to have users who need to get mail securely (well semi-securely) using old and in some cases ancient devices and clients. Just gotta be careful how many you run over in the process of locking things down.

Lew Berry, MCSE, MCT, CSSA
LCB Consulting Inc.

-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael Stauber
Sent: Wednesday, March 14, 2018 3:49 AM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:21849] Re: https://www.ssllabs.com/ssltest/analyze.html actual only B rating for blueonyx Server with ssl

Hi Dirk,

> This are the CipherSuits which are actually active at the 5209R Servers:
> 
> SSLCipherSuite HIGH:!LOW:!MEDIUM:!DH:!ADH:!EXP:!SSLv2:!SSLv3:!aNULL:!eNULL:!NULL:!EXPORT:!ADH:!IDEA:!ECDSA:!3DES:!DES:!MD5:!PSK:!RC4:!SHA:
> 
> -> unfortunately no PFS
> Are this the SSLCipherSuite you set in the Scripts for adding SSL Support to a site or is this not the actual value?

I think these might indeed be the problem. I'll publish an update that introduces a more sensible SSLCipherSuite to fix this issue on 5209R.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list