Want more timely Centmin Mod News Updates?
Become a Member

Feedback SSL Ciphers Query

Discussion in 'AlmaLinux 8 & Rocky Linux 8 Beta Testing' started by cloud9, Mar 9, 2023.

  1. cloud9

    cloud9 Premium Member Premium Member

    424
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    10:49 AM
    1.25.3
    10.6.x
    1. Hetzner CX21 40GB

    2.
    1st:
    130.00beta01.b246 #Thu Nov 17 21:43:33 UTC 2022
    ..
    last 10:
    130.00beta01.b275 #Wed Feb 15 14:01:50 UTC 2023
    130.00beta01.b277 #Tue Feb 21 20:47:19 UTC 2023
    130.00beta01.b277 #Tue Feb 21 20:48:04 UTC 2023
    130.00beta01.b277 #Tue Feb 21 20:53:39 UTC 2023
    130.00beta01.b277 #Tue Feb 28 17:34:48 UTC 2023
    130.00beta01.b277 #Tue Feb 28 17:38:41 UTC 2023
    130.00beta01.b277 #Tue Feb 28 21:40:15 UTC 2023
    130.00beta01.b277 #Wed Mar 8 20:02:12 UTC 2023
    130.00beta01.b277 #Wed Mar 8 20:17:51 UTC 2023
    130.00beta01.b277 #Wed Mar 8 20:19:09 UTC 2023



    3.

    Architecture: x86_64

    CPU op-mode(s): 32-bit, 64-bit
    Byte Order: Little Endian
    CPU(s): 2
    On-line CPU(s) list: 0,1
    Thread(s) per core: 1
    Core(s) per socket: 2
    Socket(s): 1
    NUMA node(s): 1
    Vendor ID: GenuineIntel
    CPU family: 6
    Model: 85
    Model name: Intel Xeon Processor (Skylake, IBRS)
    Stepping: 4
    CPU MHz: 2099.998
    BogoMIPS: 4199.99
    Hypervisor vendor: KVM
    Virtualization type: full
    L1d cache: 32K
    L1i cache: 32K
    L2 cache: 4096K
    L3 cache: 16384K
    NUMA node0 CPU(s): 0,1
    Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd rsb_ctxsw ibrs ibpb fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat pku ospke md_clear spec_ctrl

    total used free shared buff/cache available
    Mem: 3693 841 795 188 2056 2389
    Low: 3693 2897 795
    High: 0 0 0
    Swap: 1023 5 1018
    Total: 4717 847 1813

    Filesystem Type Size Used Avail Use% Mounted on
    devtmpfs devtmpfs 1.8G 0 1.8G 0% /dev
    tmpfs tmpfs 1.9G 0 1.9G 0% /dev/shm
    tmpfs tmpfs 1.9G 193M 1.7G 11% /run
    tmpfs tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
    /dev/sda1 ext4 38G 15G 22G 40% /
    /dev/loop0 ext4 5.8G 25M 5.5G 1% /tmp
    tmpfs tmpfs 370M 0 370M 0% /run/user/0

    Edited

    Code:
    /usr/local/nginx/conf/conf.d/MYDOMAIN.co.uk.ssl.conf 
    for this line

    Code:
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
    Restarted Nginx, Rebuilt Nginx, rebooted VPS
    Testing in ssh and on SSL labs its still reporting 128bit ciphers ?

    Code:
    TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients)
     xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
     xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
     xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
     xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
     xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
     xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLSv1.3 (no server order, thus listed by strength)
     x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
     x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
     x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256    
    Screenshot 2023-03-09 at 07.49.12.png

    Am I missing something ?

     
    Last edited: Mar 9, 2023
  2. eva2000

    eva2000 Administrator Staff Member

    52,653
    12,070
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,596
    Local Time:
    7:49 PM
    Nginx 1.25.x
    MariaDB 10.x
    Whether they're 128bit or 256bit doesn't mean they less or more secure, it's the actual SSL ciphers that matter. What are trying to do? Maybe test out the tools/switch-nginx-ciphers.sh tool
    https://community.centminmod.com/threads/add-tools-switch-nginx-ciphers-sh-in-123-09beta01.21403/

    pay attention to note on using Cloudflare or proxy in front of your Centmin Mod Nginx server
    so if you use Cloudflare in front of Centmin Mod Nginx, changing Nginx SSL ciphers won't have any impact on Cloudflare edge served SSL ciphers. If you pay $10/month for Cloudflare Advanced Certificate Management then you can use Cloudflare API to alter the default Cloudflare edge SSL ciphers too to your liking.

    and local testssl option in the script https://community.centminmod.com/th...-ciphers-sh-in-123-09beta01.21403/#post-89155
     
  3. cloud9

    cloud9 Premium Member Premium Member

    424
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    10:49 AM
    1.25.3
    10.6.x
    That will be it then, its behind Cloudflare on the free plan......

    Thankyou
     
  4. duderuud

    duderuud Premium Member Premium Member

    215
    76
    28
    Dec 5, 2020
    The Netherlands
    Ratings:
    +163
    Local Time:
    11:49 AM
    1.25 x
    10.6
    Problem with Cloudflare SSL is that you don't have any control over the ciphers.
    Some default ciphers are deemed unsafe (or to be discontinued) like AES128-SHA and AES256-SHA256.

    You can tweak the cipher suite but you have to pay $10 a month extra for that.