SSL & SHA1 - obsolete cryptography vs modern cryptography

jojolafrite

Verified User
Joined
Sep 19, 2014
Messages
52
I don't know if you are aware of it but when we allow SHA1 in the cyphersuite & if we use https for a domain on directadmin, we get a message when we click on https icon of Google chrome in the URL field saying that we use an obsolete cryptography.

HTML:
Your connection to your "domain" is encrypted with obsolete cryptography.
In order to fix this issue with all the domains using https, it was simple i added !SHA1 in httpd-ssl.conf to the following line to prevent the use of SHA1 during SSL certification exchange.

SSLCipherSuite HIGH:!aNULL:!MD5:!SHA1

Then, after restarting apache, it states that i use modern cryptography

--------------------

I have tried to type the same in directadmin.conf to get no SHA1 while displaying https directadmin admin panel pages.
ssl_cipher=HIGH:!aNULL:!MD5:!SHA1


But when i go to my directadmin admin page, Google chrome keeps on displaying "obsolete cryptography" & using RSA as the key exchange mechanism rather than ECDHE_RSA (as for the https://globalsign.com website...)

Here is what it states when i display my directadmin admin page and when i click on the locker in google chrome on the connection tab

Your connection to "mydomain.com" is encrypted with obsolete cryptography.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses RSA as the key exchange mechanism.




thank you.
 
Last edited:

Yoshua

Verified User
Joined
Apr 9, 2007
Messages
74
Location
Spain
Hello, I use these settings:

Code:
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
 

jojolafrite

Verified User
Joined
Sep 19, 2014
Messages
52
Joshua,

no problem with my code in httpd-ssl.conf

The problem is in directadmin.conf when you turn on the HTTPS for directadmin web admin page. In chrome, If you click on the padlock just before the url, you will see:
Screen Shot 2015-04-29 at 23.03.10.png

Your connection to "YOU DIRECTADMIN ADMIN DOMAIN HERE" is encrypted with obsolete cryptography.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses RSA as the key exchange mechanism.
It is only me???
 

Yoshua

Verified User
Joined
Apr 9, 2007
Messages
74
Location
Spain
Joshua,

no problem with my code in httpd-ssl.conf

The problem is in directadmin.conf when you turn on the HTTPS for directadmin web admin page. In chrome, If you click on the padlock just before the url, you will see:
View attachment 2065



It is only me???
You have tried to add the line I mentioned in directadmin.conf file?

Code:
ssl_cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS
http://www.directadmin.com/features.php?id=957
 

jojolafrite

Verified User
Joined
Sep 19, 2014
Messages
52
thks Yoshua.

1. I am sorry but directadmin is on the port 2222
it should be aliane.me:2222
When you access your directadmin on port 2222 what does it say?

2. I just tried this one. Restarted the directadmin service with service directadmin restart. Unfortunately, there is no difference.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,792
Location
A Coruña, Spain
As far as i can see with Firefox, both HTTPS (443) and DA (2222) are over SSL with a correct SSL Certificate.

No error here.

Regards
 

Fred.

Verified User
Joined
Sep 5, 2009
Messages
220
Ok, I tested again on your site. This time on port 2222

And now I also get

Your connection to your "domain" is encrypted with obsolete cryptography.
So I checked on my server and I see the same. :confused:

Also

Your connection to your "domain" is encrypted with obsolete cryptography.
Maybe it's a bug are security measure in chrome?
I use a StartCom class 2 certificate.
 

Fred.

Verified User
Joined
Sep 5, 2009
Messages
220
Maybe the SHA1 keys in the CA cert are causing trouble?
I also have a few of these in the CA-bundle from StartCom.
 

jojolafrite

Verified User
Joined
Sep 19, 2014
Messages
52
As far as i can see with Firefox, both HTTPS (443) and DA (2222) are over SSL with a correct SSL Certificate.

No error here.

Regards
You don't see obsolete cryptography on directadmin admin page??

Like the following?

Screen Shot 2015-04-30 at 15.52.07.png
 

Fred.

Verified User
Joined
Sep 5, 2009
Messages
220
I changed my ciphers to this in Nginx
Code:
ssl_ciphers 'AES128+EECDH:AES128+EDH';
and also updated my ca.crt

and now it's giving me
Your connection to "domain" is encrypted with modern cryptography.
I haven't tried it on DA port 2222
 
Last edited:

Fred.

Verified User
Joined
Sep 5, 2009
Messages
220
I changed mine to this now.

Code:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
But I seems to be having another problem now.
It changes from modern cryptography to obsolete cryptography and back every now and then. :confused:
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,768
Location
London UK
Any updates on this?

If you use Chrome on :2222, the https:// in the url has the red line through it (like the http:// links on a https:// page warning)

 
Last edited:

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,768
Location
London UK
I don't have any problem with https on :2222 with Chrome. I think you need to reissue your SSL certificate
On normal Apache it is fine, it's on DA it goes wonky........

ssllabs.com gives an A

Edit.....

Ok, I've finally found the cause...... I had an old CA cert installed for other configs
 
Last edited:
Top