[BlueOnyx:22955] Re: BlueOnyx 5210R TLSv1.3 support
Ralf Quint
pcworxla at gmail.com
Tue Jun 18 21:50:35 -05 2019
On 6/18/2019 6:56 PM, Michael Stauber wrote:
> Hi all,
>
> I'm currently locking down the SSL protocols and ciphers for BlueOnyx
> 5210R in Apache and Nginx.
>
> The good news is: TLSv1.3 does indeed work with the Apache 2.4.35 that
> ships with RHEL8. They must have backported the missing elements from
> Apache 2.4.36, which officially is the first version of Apache where
> TLSv1.3 ought to work. The included OpenSSL-1.1.1 is also (barely) good
> enough for TLSv1.3.
>
> Below is a preliminary SSL-Labs check for HTTPS on 5210R with the stock
> Apache 2.4.35:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=5210r.smd.net&hideResults=on
>
> The result for the included Nginx SSL proxy is identical except for one
> minor detail: Under TLSv1.3 the CHACHA20_POLY1305 cipher is in 2nd place
> and not in first place.
>
> Question:
> ==========
>
> As you can see in the URL above, the following browsers are no longer
> supported:
>
> - IE 11 / Win Phone 8.1
> - Safari 6 / iOS 6.0.1
> - Safari 7 / iOS 7.1
> - Safari 7 / OS X 10.9
> - Safari 8 / iOS 8.4
> - Safari 8 / OS X 10.10
>
> The best available cipher that these support would be this:
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>
> And that uses the "weak" CBC mechanism, which we might want to avoid.
>
> Does anyone have objections for no longer supporting these older
> browsers via HTTPS? Or do we still need to drag them along?
>
Don't care about Safari, but unfortunately, there still might be people
using IE11 because they hate or can't use Edge because of some corporate
ActiveX controls they might be using and that don't work on Edge.
Ralf
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
More information about the Blueonyx
mailing list