Join the community today
Become a Member

Beta Branch add tools/switch-nginx-ciphers.sh in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 11, 2021.

  1. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    add tools/switch-nginx-ciphers.sh in 123.09beta01

    - add new tools/switch-nginx-ciphers.sh script in preparation of updating 123.09beta01 and higher Nginx default HTTPS configuration to stronger intermediate Mozilla recommendations outlined at Mozilla SSL Configuration Generator for the following directives: ssl_ciphers, ssl_prefer_server_ciphers, ssl_session_tickets and ssl_dhparam to use ffdhe3072 recommended version. There is no need to modifying ssl_protocols directive as ssl_ciphers chosen will ultimately determine which ssl_protocols are available. When ssl_ciphers switch to Mozilla intermediate recommendations, only TLSv1.2 and TLSv1.3 are supported.
    - Future 123.09beta01 update with switch to default Mozilla intermediate recommendations. For now the new tools/switch-nginx-ciphers.sh script will allow folks to do that on a per vhost basis or in bulk for all Nginx HTTPS vhosts before the subsequent updates and/or also allow folks to switch between Mozilla intermediate recommendations or switch back to previous Centmin Mod 'old-defaults' to expand ssl_ciphers to support deprecated TLSv1.0 and TLSv1.1 as well as TLSv1.2 and TLSv1.3
    - new tool also has inbuilt testssl.sh support drwetter/testssl.sh via testssl command option
    - To update run cmupdate command
    - Note, if you have Cloudflare or a CDN proxy in front of Centmin Mod Nginx server then these changes won't have any impact on your visitors only for the connection from Cloudflare/CDN edge server to your Centmin Mod Nginx server.

    Usage options available for switch-nginx-ciphers.sh

    Code (Text):
    ./switch-nginx-ciphers.sh
    
    Usage:
    
    ./switch-nginx-ciphers.sh intermediate-bulk
    ./switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    ./switch-nginx-ciphers.sh old-default-bulk
    ./switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    ./switch-nginx-ciphers.sh testssl domain.com:443


    Continue reading...

    123.09beta01 branch


     
  2. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks to @Mr. Jinx reminder, Centmin Mod 123.09beta01's default Nginx HTTPS settings need updating to more secure configuration as outlined by Mozilla's intermediate SSL configuration recommendations. I've added a new tools/switch-nginx-ciphers.sh script to prepare folks who want to switch/revert to the new recommendations before official 123.09beta01's Nginx HTTPS templates get updated later on.

    You can switch to the new intermediate Nginx HTTPS recommendations on a per Nginx vhost basis by passing the Nginx vhost's HTTPS/SSL confg file on command line option for intermediate
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    Reloading nginx configuration (via systemctl):             [  OK  ]
    

    You can also switch back to previous defaults using old-default option and pass Nginx HTTPS vhost config file path
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/test.com.ssl.conf

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    
    switched on: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   on;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    
    Reloading nginx configuration (via systemctl):             [  OK  ]
    

    Or you can use the equivalent bulk commands to switch all Nginx HTTPS vhosts to intermediate or old-default settings.

    Intermediate
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate-bulk

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate-bulk
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    ------------------------------------------
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test2.com.ssl.conf
    ------------------------------------------
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test2.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    

    Old default
    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default-bulk

    Code (Text):
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh old-default-bulk
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    ------------------------------------------
    
    switched on: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   on;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    
    ------------------------------------------
    switch /usr/local/nginx/conf/conf.d/test2.com.ssl.conf
    ------------------------------------------
    
    switched on: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   on;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace: /usr/local/nginx/conf/ssl/test2.com/dhparam.pem
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    
     
  3. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    Something doesn't seem to copy correctly
    Code:
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace:
    cp: cannot create regular file ‘’: No such file or directory
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set: ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    # ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS;
    
    Reloading nginx configuration (via systemctl):             [  OK  ]
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    does the dhparam.pem file at /usr/local/nginx/conf/ssl/dhparam.pem exist ?
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/dhparam.pem

    and output for command
    Code (Text):
    awk '/^  ssl_dhparam/ {print $2}' /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    

    and for
    Code (Text):
    grep ssl_dhparam /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
     
    Last edited: May 12, 2021
  5. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    Code:
    # ls -lah /usr/local/nginx/conf/ssl/dhparam.pem
    -rw-r--r-- 1 root root 595 May 11 17:18 /usr/local/nginx/conf/ssl/dhparam.pem
    [18:27][root@main.quantnet.com ~]# awk '/^  ssl_dhparam/ {print $2}' /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    [18:27][root@main.quantnet.com ~]# grep ssl_dhparam /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    The last 2 doesn't return anything.
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ok just updated 123.09beta01 with the fix so run cmupdate and try again :)
     
  7. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    You seem to still refer to the test.com domain in your script
    Code:
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    
    switched off: ssl_prefer_server_ciphers
    set:   ssl_prefer_server_ciphers   off;
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    grep: /usr/local/nginx/conf/conf.d/test.com.ssl.conf: No such file or directory
    skip replacement for: ssl_dhparam file
    
    switched off ssl_session_tickets
    set:   ssl_session_tickets off;
    
    switched ssl_ciphers
    set:   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    Reloading nginx configuration (via systemctl):             [  OK  ]
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    whoops. Fixed now, just run cmupdate :)
     
  9. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    IT works now but it doesn't seem to switch to the new cipher suite as the test still says I'm using affected suite
    Website test: www.quantnet.com
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    Yes, I don't know why SSLLabs gave A+ why the other site says mine has issue with cipher, etc.
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Both sites have a cached result somethings that needs clearing on their web pages.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, it's also why I added a local option in switch-nginx-ciphers.sh script to run testssl against your domains to check in realtime i.e. for your site testing the non-301 redirect domain would be
    Code (Text):
    ./switch-nginx-ciphers.sh testssl quantnet.com:443

    output
    Code (Text):
    ./switch-nginx-ciphers.sh testssl quantnet.com:443
    testssl.sh --nodns=min --wide -p -c -f -E -S -P --quiet https://quantnet.com:443
    
     Start 2021-05-12 15:52:48        -->> 209.222.101.10:443 (quantnet.com) <<--
    
     rDNS (209.222.101.10):  (instructed to minimize DNS queries)
     Service detected:       HTTP
    
    
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      not offered
     TLS 1.1    not offered
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): final
     NPN/SPDY   h2, http/1.1 (advertised)
     ALPN/HTTP2 h2, http/1.1 (offered)
    
     Testing server's cipher preferences
    
     Has server cipher order?     no (NOT ok) -- only for TLS 1.3
     Negotiated protocol          TLSv1.3
     Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
     Cipher per protocol
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
    -----------------------------------------------------------------------------------------------------------------------------
    SSLv2
     -
    SSLv3
     -
    TLSv1
     -
    TLSv1.1
     -
    TLSv1.2 (no server order, thus listed by strength)
     xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384           
     x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384             
     xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 521   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256     
     xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 521   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256           
     x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256             
    TLSv1.3 (server order)
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                           
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                     
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                           
    
    
     Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
    
     FS is offered (OK) , ciphers follow (client/browser support is important here)
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
    -----------------------------------------------------------------------------------------------------------------------------
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                           
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                     
     xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384           
     x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384             
     xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 521   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256     
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                           
     xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 521   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256           
     x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    

    though I think I should re-enable ssl_prefer_server_ciphers instead of disabling it. So will do that in next update later in a few minutes
     
    Last edited: May 13, 2021
  14. Mr. Jinx

    Mr. Jinx New Member

    29
    8
    3
    Apr 18, 2021
    Ratings:
    +15
    Local Time:
    10:52 PM
    Yep, should be enabled.
     
  15. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    I rerun your latest script and it seem to re enable the cipher suite.
    Reran the test on Website test: quantnet.com and it seems to fix the cipher order issue.
    Now the only remaining complaint is about Key exchange. I thought the script moved it to 3047 but it still show 2048?
    Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.
    DH-2048 insufficient
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's the output from the commands below
    Code (Text):
    cmupdate
    /usr/local/src/centminmod/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    

    and
    Code (Text):
    grep ssl_dhparam /usr/local/nginx/conf/conf.d/quantnet.com.ssl.conf
    

    and
    Code (Text):
    grep ssl_dhparam /usr/local/nginx/conf/ssl/quantnet.com/quantnet.com.crt.key.conf
    

    last one I suspect is why as Letsencrypt SSL config sets ssl_dhparam file in a different file at /usr/local/nginx/conf/ssl/quantnet.com/quantnet.com.crt.key.conf. So will need another update to account for that. Though they both should reference the same dhparam file
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated tools/switch-nginx-ciphers.sh to take into account letsencrypt SSL nginx vhost config format properly. So run cmupdate and re-run the script
     
  18. Andy

    Andy Active Member

    540
    88
    28
    Aug 6, 2014
    Ratings:
    +131
    Local Time:
    3:52 PM
    Yes, letsencrypt is the culprit.
    Thanks for the fix.
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    6:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Glad to hear :D
     
  20. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    3:52 PM
    1.22.0
    MariadDB 10.4.25
    Since TLS v1.3 is faster than TLS v1.2 at handshake, 0-RTT, is widely supported, more modern and secure, wouldnt be nice to add the "modern" and "modern-bulk" options to the switch-nginx-ciphers.sh tool/script supporting only TLS v1.3 protocols following the Mozilla's recommended configurations ?