Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Gone from Bing Search Results after https

Discussion in 'Domains, DNS, Email & SSL Certificates' started by dorobo, Nov 2, 2016.

  1. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:19 PM
    latest
    latest
    I've finally decided to migrate my old domain from http to https via LE just hours ago and I noticed now that it's no longer on Bing.

    I've got an A+ on ssllabs but I read this on reddit

    So another link is - HTTPS: Which cipher suites does Bingbot support?

    and according to the ssllabs result, I match 3 ciphers in there

    Code (Text):
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    128
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    128


    and I only need one

    Code:
    please ensure your site is configured to use at least one of the cipher suites called out below
    Do I need a paid SSL to solve this? I'll be googling some more but I just want to know what you guys think.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,940
    6,913
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,409
    Local Time:
    8:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    wow interesting forgot Bing crawler may use older ssl ciphers. So just a matter of adjusting your nginx ssl cipher preferences as far as I know

    so if you ssllab result matches 3 of them for bing, you should be fine

    as to why results gone from bing itself no idea, might need to wait for reindexing ?

    did you ensure to have 301 or 302 redirect from http to https ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,940
    6,913
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,409
    Local Time:
    8:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    ssllab result looks like for handshake simulation ? for bingpreview jan 2015 ?

    i.e.

    upload_2016-11-2_6-7-15.png

    and you don't need to remove CBC to prevent OpenSSL Padding Oracle vulnerability (CVE-2016-2107), just update to fixed OpenSSL or LibreSSL version which Centmin Mod Nginx has out of the box, just see ssllab report for it further down

    upload_2016-11-2_6-10-10.png

    reddit user/link is thus incorrect and anyway you don't remove CBC to get A+ ssllab, you ensure your have HSTS enabled appropriately once you understand what it does - Enabling HSTS for SSL
     
    Last edited: Nov 2, 2016
  4. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:19 PM
    latest
    latest
    I think my site was penalized by bing so not really related to the migration.

    I'm on LibreSSL 2.4.3 but is there an advantage to using OpenSSL 1.1.0b as far as https is concerned?
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,940
    6,913
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,409
    Local Time:
    8:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    for HTTPS probably not that much an advantage, OpenSSL performance is slightly better than LibreSSL though but at a much longer nginx compile time for install/upgrades. OpenSSL 1.1.1 will have TLS 1.3 which is good for security and performance, not sure when LibreSSL will get TLS 1.3 maybe LibreSSL 2.5+ ?

    For dual RSA + RCDSA SSL certificates though, you want to use OpenSSL
     
    • Informative Informative x 2
  6. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    12:19 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    And how we select which one to use?

    OpenSSL or LibreSSL
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,940
    6,913
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,409
    Local Time:
    8:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    To switch between Nginx OpenSSL and Nginx LibreSSL set in persistent config file /etc/centminmod/custom_config.inc the variable for LIBRESSL_SWITCH. Yes for LibreSSL and No for OpenSSL and then run centmin.sh menu option 4 to recompile Nginx
    Code (Text):
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    
     
    • Informative Informative x 1
  8. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:19 PM
    latest
    latest
    For say LetsEncrypt certificate, either one (OpenSSL or LibreSSL) is just fine?

    Or could we use OpenSSL for TLS 1.3?
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,940
    6,913
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,409
    Local Time:
    8:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes Nginx with OpenSSL or LibreSSL is fine for serving any type of ssl certificate

    TLS 1.3 is not available yet in OpenSSL as latest is 1.1.0b. OpenSSL 1.1.1 is when TLS 1.3 is available and 1.1.0b vs 1.1.1 is like OpenSSL 1.0.1 vs 1.0.2 timeline I believe - quite a while away.
     
    • Like Like x 1