a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by mk
mk  ·  3489 days ago  ·  link  ·    ·  parent  ·  post: Hello Hubski, you might want to fix your SSL certificates

Thanks. It's on the short list.

I never liked how people make their hair into balls like that.





ccc  ·  3444 days ago  ·  link  ·  

You can get above C by disabling SSLv3 and maybe above B if you fix the ciphers, and other than that you just have to make a new cert signed with SHA2. Actually the intermediate cert is weak too so I dunno. Maybe a different CA. StartSSL is good. Free.

Here's my config (nginx) that gets me A+ (along with a strong cert):

  ssl_prefer_server_ciphers On;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;