Welcome to Centmin Mod Community
Become a Member

SSL ssl beast vulnerability

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by reallove0810, Jan 3, 2015.

Tags:
  1. reallove0810

    reallove0810 New Member

    25
    10
    3
    Jan 3, 2015
    Ratings:
    +11
    Local Time:
    5:57 PM
    1.7.9
    5.5.41
    Hello,

    I setup sll and enter the following parameters like instruction of Nginx HTTPS / SSL Google SPDY configuration
    PHP:
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    And I test website in globalsign.com. It show "Sessions may be vulnerable to BEAST attack"
    You can see here:
    SSL Check
    Do you now how to fix it.

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,235
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    1:57 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You may want to read this thread in Domains, DNS, Email & SSL Certificates forums at SSL - SSL Setup | Centmin Mod Community

    For beast, the set out cipher preferences I suggested is enough see Security Labs: Is BEAST Still a Threat? | Qualys Community it's the same ones recommended officially by Mozilla foundation

    Basically, RC4 security could be weaker and vulnerable and that it affects everyone and can not be mitigated while BEAST only affects a portion of users.