Learn about Centmin Mod LEMP Stack today
Become a Member

SSL ssl beast vulnerability

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by reallove0810, Jan 3, 2015.

Tags:
  1. reallove0810

    reallove0810 New Member

    25
    10
    3
    Jan 3, 2015
    Ratings:
    +11
    Local Time:
    2:49 PM
    1.7.9
    5.5.41
    Hello,

    I setup sll and enter the following parameters like instruction of Nginx HTTPS / SSL Google SPDY configuration
    PHP:
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    And I test website in globalsign.com. It show "Sessions may be vulnerable to BEAST attack"
    You can see here:
    SSL Check
    Do you now how to fix it.

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,113
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    11:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You may want to read this thread in Domains, DNS, Email & SSL Certificates forums at SSL - SSL Setup | Centmin Mod Community

    For beast, the set out cipher preferences I suggested is enough see Security Labs: Is BEAST Still a Threat? | Qualys Community it's the same ones recommended officially by Mozilla foundation

    Basically, RC4 security could be weaker and vulnerable and that it affects everyone and can not be mitigated while BEAST only affects a portion of users.