Get the most out of your Centmin Mod LEMP stack
Become a Member

Another XF forum switching to centminmod?

Discussion in 'Introductions' started by Mr. Jinx, Apr 19, 2021.

  1. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    Hello All,


    I am currently exploring centminmod and so far I like it :)
    Right now I am really playing with it, starting with a fresh VPS, installing centminmod, breaking things and re-installing. Just to get a feeling.

    I have been using Direct Admin for a long time and recently also tried Cyberpanel.
    DA is a great control panel. I'm not going to say anything bad about it. However, it is more focused on multi user hosting with lots of options. For my situation too much options.
    Still I think it is the best control panel. A mix between commandline and GUI. And the GUI is very light, fast and secure running it's own web server.

    While searching for alternatives I wanted to take a look at OpenLiteSpeed. This brought me to Cyberpanel. Played with it, but I saw some bugs and security related stuff I didn't like. Their community was not very active and the bugs I reported are still open. Nobody ever responded, so this was a no-go for me.

    Then I tried centminmod. Installed a test forum and saw that the php generation time of my (test) forum was twice as fast as my current hosting plan, out of the box! I also compared it to another clean DA install and Cyberpanel running on exact the same VPS setup. Still, CMM was the winner looking at pure speed.

    So that is interesting, but I'm afraid for all the extra work. Running my website on managed hosting, I don't have to think about anything but I also don't have any control.
    Or switching to CMM, more maintenance (I think), more control and more speed.
     
  2. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:19 PM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    47,181
    10,668
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,573
    Local Time:
    1:19 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    welcome @Mr. Jinx to Centmin Mod Community and Centmin Mod. Plenty of Xenforo owners running on Centmin Mod LEMP stack Xenforo - Centmin Mod LEMP powers ~10% of Xenforo's largest forums ! :)

    There are 6 steps to learning more about Centmin Mod ;) And to modifying config files and manage services more quickly, check out Centmin Mod Command Shortcuts. Recently relaunched official Centmin Mod Blog at https://blog.centminmod.com/ also have more advanced tips and tutorials as well :D

    Might also be interested in reading up on latest LEMP stack comparison benchmarks tagged here.

    You might want to try the 123.09beta01 build as it will be next stable release and well has alot of improvements if you check 2nd post change log at Beta Branch - Centmin Mod .09 beta branch Testing. And you can share your initial install times here.

    Threads you might want to participate in ;)

    Quick Tips


    Threads & Info To Bookmark



    Threads to read, pages to bookmark and threads to watch/subscribe to get to know Centmin Mod would include:

    Centmin Mod Insights Forum



    The Centmin Mod Insights forums digs deeper into the inner workings of Centmin Mod so some useful threads in this forum include:

    Security Related Developments



    A few security related developments you might be interested reading about

    Premium Membership


    Centmin Mod Donations



    You now can show your love and support for Centmin Mod via
     
  4. Rake-GH

    Rake-GH Premium Member Premium Member

    174
    89
    28
    Jul 29, 2019
    USA
    Ratings:
    +136
    Local Time:
    11:19 AM
    default
    default
    From my experience, once you get up and running with CMM, you really don't have to do much.

    My only work related to using CMM is, once a month I:
    • Backup everything locally (it auto backups every week)
    • Check the CMM forums for any important updates
    • Update everything & reboot
    • If website still loads, my job is done
    Doesn't take more than 20 minutes per month.

    My only problems I've had were user error because I did not understand nginx when I first started using CMM, but now that I've learned everything, it's been great. The CMM forum is filled with important information, anytime I have an issue I can usually find a solution in a few minutes.

    Yes it is more work and you have to learn more stuff, mostly all in the beginning, but I've really enjoyed it and once you've learned it, you're good to go. I think the most important thing is to learn nginx, because that's what you'll be playing with the most
     
  5. buik

    buik "Nobody who ever gave his best regretted it." Premium Member

    1,428
    388
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,207
    Local Time:
    5:19 PM
    Don't be put off by ISP scaremongering.

    As long as you take care of backups, backups and more backups there is nothing to worry about.

    Before each centmin update (maintenance), take a snapshot and should issues arise.
    Then you simply put the snapshot back.

    As long as you keep current backups, you can basically switch to any form of hosting.
    According to your preference.
     
  6. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    Thanks for the heads up. So far so good!
    Most work for now was adding the extra security measures:
    • Disabled all incoming ports, except 80/443
    • Changed SSH port and only allow it from my IP
    • Added a sudo user and disable root logins (centmin maintenance will still be done as root using sudo su -)
    • Added SSH keys and disabled password logins
    • Changed ssl_ciphers to intermediate
    • Change dhparam.pem to use ffdhe3072
    • Enabled IPv6
    I like this site to test some basic security stuff:
    Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

    My site now scores 100%.
     
  7. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    upload_2021-5-9_11-8-20.png
    This graph show the difference in loadtimes from my site. This is PRTG getting the index of my site, without external downloads.
    1. My site running on shared hosting. They promised containerization with reserved 3 cores and 4GB. However, as you can see, the speed was not that 'reserved'. Apache + PHP 8 + MariaDB 10.4 + Redis.
    2. Migrated to a 2 core 4GB VPS from UpCloud, running Centminmod default install with PHP 7.4 and MariaDB 10.3. The spikes you see come from reboots and maintenance I was doing. During this period I upgraded to PHP 8 with PGO and JIT enabled. I also enabled XF guest caching, which wouldn't work correctly on my previous host.
    3. The final rsult, after all the upgrades and tweaks, my site is running very nicely without spikes. Going from 200-350 msec to a constant 100msec load time.
     
  8. Andy

    Andy Premium Member Premium Member

    499
    79
    28
    Aug 6, 2014
    Ratings:
    +114
    Local Time:
    11:19 AM
    What is your site URL? Would be interested in learning how you get 100% score you mentioned in post #6.
     
  9. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    This one: Website test: ziggoforum.nl
    Only one recommendation left regarding the Content Security Policy, but I haven't found a good policy that doesn't break the site (especially AMP).
     
  10. Andy

    Andy Premium Member Premium Member

    499
    79
    28
    Aug 6, 2014
    Ratings:
    +114
    Local Time:
    11:19 AM
    Yes, CSP is not easily implement right now.
    Can you share the cipher suites that you use in your nginx conf file?
     
  11. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    This one:
    Code:
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    I got this list of ciphers from Mozilla using the intermediate configuration:
    Mozilla SSL Configuration Generator
     
  12. eva2000

    eva2000 Administrator Staff Member

    47,181
    10,668
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,573
    Local Time:
    1:19 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    FYI, if you use Cloudflare in front of Centmin Mod Nginx, then SSL cipher choices aren't really used by visitors and just Cloudflare edge servers which would already choose the best SSL ciphers that default Centmin Mod Nginx ssl_ciphers directive has set.
     
  13. Andy

    Andy Premium Member Premium Member

    499
    79
    28
    Aug 6, 2014
    Ratings:
    +114
    Local Time:
    11:19 AM
    Hum,
    I used your cipher suite and still got the error about key exchange parameters.
    Website test: quantnet.com

    @eva2000 any idea?
     
  14. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    That is about the dhparam.pem file.
    They don't recommend a self generated one. Instead you can use ffdhe3072
     
  15. Andy

    Andy Premium Member Premium Member

    499
    79
    28
    Aug 6, 2014
    Ratings:
    +114
    Local Time:
    11:19 AM
    Oh, I used the Let's encrypt free SSL cert generator that came with centminmod.
    Is it something I can change?
     
  16. eva2000

    eva2000 Administrator Staff Member

    47,181
    10,668
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,573
    Local Time:
    1:19 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I think it comes from this discussion Advise dynamic dh parameters instead of downloading from mozilla · Issue #60 · mozilla/ssl-config-generator if using Intermediate SSL cipher preferences with TLSv1.3 supported Nginx

    @Andy so you'd replace your dhparam.pem with their downloaded one if you modified SSL cipher preferences from Centmin Mod Nginx default to the intermediate profile

    so if you had
    Code (Text):
    ssl_dhparam /usr/local/nginx/conf/ssl/test.com/dhparam.pem;

    you'd change it to ffdhe2048.txt downloaded version via command
    Code (Text):
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    

    and only if you intend to create all future Nginx vhosts with intermediate SSL cipher preferences, also save the local copy template version which Centmin Mod saves when first creating a Nginx HTTPS/SSL vhost at /usr/local/nginx/conf/ssl/dhparam.pem which is then copied to new subsequent Nginx HTTPS/SSL vhosts to save time
    Code (Text):
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/nginx/conf/ssl/dhparam.pem

    Note if you do not intend to modify each Nginx HTTPS/SSL vhost with intermediate SSL cipher preferences, then don't override /usr/local/nginx/conf/ssl/dhparam.pem
     
  17. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
  18. eva2000

    eva2000 Administrator Staff Member

    47,181
    10,668
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,573
    Local Time:
    1:19 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I'd just use 2048bit, as you go higher performance for Nginx may suffer
     
  19. Mr. Jinx

    Mr. Jinx New Member

    23
    8
    3
    Apr 18, 2021
    Ratings:
    +14
    Local Time:
    5:19 PM
    Okay, but the question was how to comply the internet.nl test with a 100% score ;)
    You will need 3072 bit to pass the test fully, as 2048 was not sufficient (phase out, don't know why)
    I haven't noticed any performance hit on my site, thus I'm using this without any problems.
     
  20. eva2000

    eva2000 Administrator Staff Member

    47,181
    10,668
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,573
    Local Time:
    1:19 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yeah the performance hit would be for DHE based key exchange requests only so depends on how ancient your visitor's browser/clients are as most would use ECDHE based key exchanges.

    I whipped up a quick script to switch between Centmin Mod 123.09beta01 default Nginx ssl_ciphers and dhparam and Mozilla's Intermediate ssl_ciphers and ffdhe 2048/3072 dhparam files.
    Code (Text):
    /root/tools/switch-nginx-ciphers.sh
    
    Usage:
    
    /root/tools/switch-nginx-ciphers.sh intermediate-bulk
    /root/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    /root/tools/switch-nginx-ciphers.sh default-bulk
    /root/tools/switch-nginx-ciphers.sh default /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    /root/tools/switch-nginx-ciphers.sh testssl domain.com:443
    


    for 2048bit
    Code (Text):
    /root/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    setup ffdhe2048 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched ssl_ciphers
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    

    for 3072bit
    Code (Text):
    /root/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf
    setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
    replace /usr/local/nginx/conf/ssl/test.com/dhparam.pem
    
    switched ssl_ciphers
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    

    Eventually will make it Centmin Mod Nginx default seeing as how many client browsers already phased out TLSv1.0 and TLSv1.1 limiting DHE usage to only Windows 7/8 IE11 itseems for testssl config test with self-sigend SSL
    Code (Text):
    /root/tools/switch-nginx-ciphers.sh testssl test.com:443
    
     Start 2021-05-10 19:42:58        -->> xxx.xxx.xxx.xxx:443 (test.com) <<--
    
     A record via:           /etc/hosts
     rDNS (xxx.xxx.xxx.xxx):   (instructed to minimize DNS queries)
     Service detected:       HTTP
    
    
     Testing protocols via sockets except NPN+ALPN
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      not offered
     TLS 1.1    not offered
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): final
     NPN/SPDY   h2, http/1.1 (advertised)
     ALPN/HTTP2 h2, http/1.1 (offered)
    
     Testing server's cipher preferences
    
     Has server cipher order?     yes (OK) -- TLS 1.3 and below
     Negotiated protocol          TLSv1.3
     Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
     Cipher per protocol
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
    -----------------------------------------------------------------------------------------------------------------------------
    SSLv2
     -
    SSLv3
     -
    TLSv1
     -
    TLSv1.1
     -
    TLSv1.2 (server order)
     xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            
     xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384            
     xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      
     x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              
     x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384              
    TLSv1.3 (server order)
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                            
    
    
     Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
    
     FS is offered (OK) , ciphers follow (client/browser support is important here)
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
    -----------------------------------------------------------------------------------------------------------------------------
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
     xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384            
     x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384              
     xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                            
     xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            
     x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              
    
     Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
     DH group offered:            ffdhe2048
    
     Testing server defaults (Server Hello)
    
     TLS extensions (standard)    "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "next protocol/#13172" "supported versions/#43" "key share/#51"
                                  "supported_groups/#10" "max fragment length/#1" "application layer protocol negotiation/#16" "extended master secret/#23"
     Session Ticket RFC 5077 hint 3600 seconds, session tickets keys seems to be rotated < daily
     SSL Session ID support       yes
     Session Resumption           Tickets: yes, ID: yes
     TLS clock skew               Random values, no fingerprinting possible
     Client Authentication        none
     Signature Algorithm          SHA256 with RSA
     Server key size              RSA 2048 bits (exponent is 65537)
     Server key usage             Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
     Server extended key usage    --
     Serial / Fingerprints        DE3C5E3746D583EE / SHA1 2FE9A5F3C5996F76AA2EAE6232134EB423E1C04F
                                  SHA256 5CDB253933F17968786EB19C74E7B535F40DE9A63CD4B32D12D01943803C91C8
     Common Name (CN)             test.com  (CN in response to request w/o SNI: ffdhe.centminmod.com )
     subjectAltName (SAN)         test.com www.test.com
     Trust (hostname)             Ok via SAN and CN (SNI mandatory)
     Chain of trust               NOT ok (chain incomplete)
     EV cert (experimental)       no
     Certificate Validity (UTC)   36499 >= 60 days (2021-05-10 16:11 --> 2121-04-16 16:11)
                                  >= 10 years is way too long
     ETS/"eTLS", visibility info  not present
     Certificate Revocation List  --
     OCSP URI                     --
                                  NOT ok -- neither CRL nor OCSP URI provided
     OCSP stapling                not offered
     OCSP must staple extension   --
     DNS CAA RR (experimental)    (instructed to minimize DNS queries)
     Certificate Transparency     --
     Certificates provided        1
     Issuer                       test.com (test.com from US)
     Intermediate Bad OCSP (exp.) Ok
    
    
    
     Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
    -----------------------------------------------------------------------------------------------------------------------------
    SSLv2
     -
    SSLv3
     -
    TLS 1
     -
    TLS 1.1
     -
    TLS 1.2
     xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384            
     x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384              
     xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      
     xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            
     x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              
    TLS 1.3
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                            
    
     Running client simulations (HTTP) via sockets
    
     Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
    ------------------------------------------------------------------------------------------------
     Android 4.4.2                TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Android 5.0.0                TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
     Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Chrome 74 (Win 10)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Chrome 79 (Win 10)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Firefox 71 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     IE 6 XP                      No connection
     IE 8 Win 7                   No connection
     IE 8 XP                      No connection
     IE 11 Win 7                  TLSv1.2   DHE-RSA-AES128-GCM-SHA256         2048 bit DH  (ffdhe2048)
     IE 11 Win 8.1                TLSv1.2   DHE-RSA-AES128-GCM-SHA256         2048 bit DH  (ffdhe2048)
     IE 11 Win Phone 8.1          No connection
     IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
     Edge 17 (Win 10)             TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
     Opera 66 (Win 10)            TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Safari 9 iOS 9               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Safari 9 OS X 10.11          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Safari 10 OS X 10.12         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Apple ATS 9 iOS 9            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Java 6u45                    No connection
     Java 7u25                    No connection
     Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            256 bit ECDH (P-256)
     Java 12.0.1 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            256 bit ECDH (P-256)
     OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
     OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
     OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
     Thunderbird (68.3)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)