TIL: if you want TLS downgrade protection, you MUST only use one of the DHE or ECDH key exchange algorithms. Others like DH_RSA do not sign the random bytes in Hello messages used to prevent TLS downgrade attacks.
Conversation
Replying to
mozilla.github.io/server-side-tl is useful for generating a sane set of ciphers by using the Modern configuration with recent software versions configured.
DHE isn't used for other reasons so Modern only uses ECDHE. ECDHE / DHE are needed for forward secrecy which is quite important.
Replying to
ssllabs.com/ssltest/ is useful for testing the configuration too. I also always set up HSTS with preloading, CAA + DNSSEC, Expect-CT in enforce mode and OCSP stapling. I don't use Must-Staple yet since the Apache / nginx implementation doesn't have reliable persistent caching.
1
1
2
Show replies