[BlueOnyx:22959] Re: BlueOnyx 5210R TLSv1.3 support
Meaulnes Legler @ MailList
bluelist at waveweb.ch
Wed Jun 19 10:19:20 -05 2019
for me too, running mostly Macs from OSX 10.11 (El Capitan with Safari 11) to OSX 10.14 (Mojave with Safari 12.1), sometimes Windoof 7 and 10 with IE 11, I don't have problems logging into a BlueOnyx 5209R.
is BlueOnyx 5219R available yet?
Best regards
_⌢_ Meaulnes Legler
'¿') Zurich, Switzerland.
`-´ +41¦0 44 260-1660
On 19.06.19 03:56, Michael Stauber wrote:
> Hi all,
>
> I'm currently locking down the SSL protocols and ciphers for BlueOnyx
> 5210R in Apache and Nginx.
>
> The good news is: TLSv1.3 does indeed work with the Apache 2.4.35 that
> ships with RHEL8. They must have backported the missing elements from
> Apache 2.4.36, which officially is the first version of Apache where
> TLSv1.3 ought to work. The included OpenSSL-1.1.1 is also (barely) good
> enough for TLSv1.3.
>
> Below is a preliminary SSL-Labs check for HTTPS on 5210R with the stock
> Apache 2.4.35:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=5210r.smd.net&hideResults=on
>
> The result for the included Nginx SSL proxy is identical except for one
> minor detail: Under TLSv1.3 the CHACHA20_POLY1305 cipher is in 2nd place
> and not in first place.
>
> Question:
> ==========
>
> As you can see in the URL above, the following browsers are no longer
> supported:
>
> - IE 11 / Win Phone 8.1
> - Safari 6 / iOS 6.0.1
> - Safari 7 / iOS 7.1
> - Safari 7 / OS X 10.9
> - Safari 8 / iOS 8.4
> - Safari 8 / OS X 10.10
>
> The best available cipher that these support would be this:
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>
> And that uses the "weak" CBC mechanism, which we might want to avoid.
>
> Does anyone have objections for no longer supporting these older
> browsers via HTTPS? Or do we still need to drag them along?
>
More information about the Blueonyx
mailing list