SSL & SHA1 - obsolete cryptography vs modern cryptography

jojolafrite

jojolafrite

Verified User
Joined
Sep 19, 2014
Messages
53
I don't know if you are aware of it but when we allow SHA1 in the cyphersuite & if we use https for a domain on directadmin, we get a message when we click on https icon of Google chrome in the URL field saying that we use an obsolete cryptography.

HTML: 
Your connection to your "domain" is encrypted with obsolete cryptography.

In order to fix this issue with all the domains using https, it was simple i added !SHA1 in httpd-ssl.conf to the following line to prevent the use of SHA1 during SSL certification exchange.

SSLCipherSuite HIGH:!aNULL:!MD5:!SHA1

Then, after restarting apache, it states that i use modern cryptography

--------------------

I have tried to type the same in directadmin.conf to get no SHA1 while displaying https directadmin admin panel pages.
ssl_cipher=HIGH:!aNULL:!MD5:!SHA1


But when i go to my directadmin admin page, Google chrome keeps on displaying "obsolete cryptography" & using RSA as the key exchange mechanism rather than ECDHE_RSA (as for the https://globalsign.com website...)

Here is what it states when i display my directadmin admin page and when i click on the locker in google chrome on the connection tab

Your connection to "mydomain.com" is encrypted with obsolete cryptography.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses RSA as the key exchange mechanism.



thank you.
 
Last edited:
Hello, I use these settings:

Code: 
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
 
Joshua,

no problem with my code in httpd-ssl.conf

The problem is in directadmin.conf when you turn on the HTTPS for directadmin web admin page. In chrome, If you click on the padlock just before the url, you will see:
Screen Shot 2015-04-29 at 23.03.10.png

Your connection to "YOU DIRECTADMIN ADMIN DOMAIN HERE" is encrypted with obsolete cryptography.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses RSA as the key exchange mechanism.
Click to expand...

It is only me???
 
jojolafrite said:
Joshua,

no problem with my code in httpd-ssl.conf

The problem is in directadmin.conf when you turn on the HTTPS for directadmin web admin page. In chrome, If you click on the padlock just before the url, you will see:
View attachment 2065



It is only me???
Click to expand...

You have tried to add the line I mentioned in directadmin.conf file?

Code: 
ssl_cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS

http://www.directadmin.com/features.php?id=957
 
thks Yoshua.

1. I am sorry but directadmin is on the port 2222
it should be aliane.me:2222
When you access your directadmin on port 2222 what does it say?

2. I just tried this one. Restarted the directadmin service with service directadmin restart. Unfortunately, there is no difference.
 
As far as i can see with Firefox, both HTTPS (443) and DA (2222) are over SSL with a correct SSL Certificate.

No error here.

Regards
 
Ok, I tested again on your site. This time on port 2222

And now I also get

Your connection to your "domain" is encrypted with obsolete cryptography.
Click to expand...

So I checked on my server and I see the same. :confused:

Also

Your connection to your "domain" is encrypted with obsolete cryptography.
Click to expand...

Maybe it's a bug are security measure in chrome?
I use a StartCom class 2 certificate.
 
Maybe the SHA1 keys in the CA cert are causing trouble?
I also have a few of these in the CA-bundle from StartCom.
 
SeLLeRoNe said:
As far as i can see with Firefox, both HTTPS (443) and DA (2222) are over SSL with a correct SSL Certificate.

No error here.

Regards
Click to expand...

You don't see obsolete cryptography on directadmin admin page??

Like the following?

Screen Shot 2015-04-30 at 15.52.07.png
 
I changed my ciphers to this in Nginx
Code: 
ssl_ciphers 'AES128+EECDH:AES128+EDH';
and also updated my ca.crt

and now it's giving me
Your connection to "domain" is encrypted with modern cryptography.
Click to expand...

I haven't tried it on DA port 2222
 
Last edited:
I changed mine to this now.

Code: 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

But I seems to be having another problem now.
It changes from modern cryptography to obsolete cryptography and back every now and then. :confused:
 
Any updates on this?

If you use Chrome on :2222, the https:// in the url has the red line through it (like the http:// links on a https:// page warning)

CGgFm7L.jpg
 
Last edited:
ditto said:
I don't have any problem with https on :2222 with Chrome. I think you need to reissue your SSL certificate
Click to expand...
On normal Apache it is fine, it's on DA it goes wonky........

ssllabs.com gives an A

Edit.....

Ok, I've finally found the cause...... I had an old CA cert installed for other configs
 
Last edited:
You must log in or register to reply here.
Back
Top