Hello Hubski, you might want to fix your SSL certificates

a thoughtful web.

Good ideas and conversation. No ads, no tracking. Login or Take a Tour!

Hello Hubski, you might want to fix your SSL certificates · 2

guy · 3240 days ago

I threw hubski.com into ssllabs and noticed that the score was very low, server is vulnerable for poodle attacks! Those have been around for quite some time and that shouldn't be.

tweet · print · htmlmarkup tips · 0

mk · 3240 days ago · link ·

Thanks. It's on the short list.

I never liked how people make their hair into balls like that.

+discuss+discuss

–

ccc · 3194 days ago · link ·

You can get above C by disabling SSLv3 and maybe above B if you fix the ciphers, and other than that you just have to make a new cert signed with SHA2. Actually the intermediate cert is weak too so I dunno. Maybe a different CA. StartSSL is good. Free.

Here's my config (nginx) that gets me A+ (along with a strong cert):

  ssl_prefer_server_ciphers On;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;