TIL: if you want TLS downgrade protection, you MUST only use one of the DHE or ECDH key exchange algorithms. Others like DH_RSA do not sign the random bytes in Hello messages used to prevent TLS downgrade attacks.
Conversation
Replying to
mozilla.github.io/server-side-tl is useful for generating a sane set of ciphers by using the Modern configuration with recent software versions configured.
DHE isn't used for other reasons so Modern only uses ECDHE. ECDHE / DHE are needed for forward secrecy which is quite important.
1
2
3
Replying to
ssllabs.com/ssltest/ is useful for testing the configuration too. I also always set up HSTS with preloading, CAA + DNSSEC, Expect-CT in enforce mode and OCSP stapling. I don't use Must-Staple yet since the Apache / nginx implementation doesn't have reliable persistent caching.
1
1
2
I use HPKP with a conservative approach (i.e. without strict leaf key rotation) too:
gist.github.com/thestinger/0b2
The rationale is restricting trust to Let's Encrypt, while being able to get certificates issued with a variety of backup pins if those pins become unusable too fast.
1
Sadly, Google is phasing out HPKP and others are likely to follow. I'll still set it even if all mainstream browsers drop it since at least it communicates intent. CAA isn't retroactive so it doesn't do much. Can still use TLS pinning in apps either way:
github.com/AndroidHardeni