| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Support
Forum: Website Support
Thread: Obsolete SSL settings on worldcommunitygrid.org |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 3
|
|
| Author |
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Hi,
I'd like to point out that the website secure.worldcommunitygrid.org uses obsolete SSL configuration, in detail: - support only for TLS 1.0, no support for modern TLS 1.1 and TLS 1.2 - server supports only older cipher suites TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA Newer cipher suites with Perfect Forward Security should be supported as well: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA - the certificate expires in two week, the new one should ideally use SHA256 hash algorithm instead of the current SHA1. - optionally only https should be allowed with no http fallback, ideally with HTTP Strict Transport Security enabled Note these cipher suites are supported in latest OpenSSL, no special requirements are needed for deploying these suites on your server. The current cipher suites should be kept for backward compatibility at the end of server supported list. For details please check this test result: https://www.ssllabs.com/ssltest/analyze.html?d=worldcommunitygrid.org |
||
|
|
knreed
Former World Community Grid Tech Joined: Nov 8, 2004 Post Count: 4504 Status: Offline Project Badges: 
|
Necroman,
We are in the process of fixing a number of those. Feel free to read the following thread: https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,38190 The new certificates addresses most of the issue in the Authentication section. However, one of the Thawte certificates still uses sha1 in the chain so that warning will remain. We are developing a plan to upgrade some of our core middleware including the web server. Upgrading the web server will resolve issues around TLS and supporting newer cipher suites. - Kevin |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Hi,
quick update. So far the SSL settings has not been changed. I'd recommend at least changing the order of current supported cipher suites. Currently the top, preferred one is TLS_RSA_WITH_3DES_EDE_CBC_SHA which is by far the slowest, about 12x slower than AES-128-CBC-SHA cipher suite! Current modern AES-128-GCM-SHA256 is abobut 30% faster than AES-128-CBC-SHA. By switching the order to this could result in much better performance of the website TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA |
||
|
|
|