SSL & SHA1 - obsolete cryptography vs modern cryptography

LawsHosting · May 15, 2015

FYI, it still gives obsolete cryptography......

Fred. · May 15, 2015

Same here, no problems on Nginx (A+ on SSLLabs)

but DA still gives obsolete cryptography.

shanti · Jul 16, 2015

hello

i tried

ssl_cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:-SSLv2:-SSLv3

in directadmin.conf , but to no avail ..

using the ssltestscript from http://www.tuxad.de/scripts/ssltest.sh against DA i get :

Testing: localhost 56788
Testing protocols:
SSLv2: NO
SSLv3: NO
TLSv1.1: YES
TLSv1.2: YES
TLSv1: YES
Testing ciphers using protocol TLSv1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

But i like it a bit more like my httpd is responding:

Testing: localhost 443
Testing protocols:
SSLv2: NO
SSLv3: NO
TLSv1.1: YES
TLSv1.2: YES
TLSv1: YES
Testing ciphers using protocol TLSv1
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

which provides me with PFS

it would be great to have strong encryption on the DA-Backend .. are there plans to implement this ?

best regards

-c-

v998 · Oct 1, 2015

The DirectAdmin Daemon (port 2222) is obsolete cryptography because there is not any forward secrecy (ECDHE) on it.
Only TLS_RSA_AES128_GCM_SHA256 would not be enough.

It requires things like:
ECDHE-RSA-CHACHA20-POLY1305,
ECDHE-RSA-AES256-GCM-SHA384, or
ECDHE-RSA-AES128-GCM-SHA256

What is the TLS library DA daemon using?

Petertjuh360 · Dec 11, 2015

Can someone give the right Cipher, please?

smtalk · Dec 11, 2015

v998 said:
The DirectAdmin Daemon (port 2222) is obsolete cryptography because there is not any forward secrecy (ECDHE) on it.
Only TLS_RSA_AES128_GCM_SHA256 would not be enough.

It requires things like:
ECDHE-RSA-CHACHA20-POLY1305,
ECDHE-RSA-AES256-GCM-SHA384, or
ECDHE-RSA-AES128-GCM-SHA256

What is the TLS library DA daemon using?

Please use DA pre-release binaries for these ciphers to work. More info: http://www.directadmin.com/features.php?id=1800

Petertjuh360 · Dec 11, 2015

smtalk said:
Please use DA pre-release binaries for these ciphers to work. More info: http://www.directadmin.com/features.php?id=1800

Thank you!

I am not able to use pre-release binaries, unfortunately.

SSL & SHA1 - obsolete cryptography vs modern cryptography

LawsHosting

Verified User

Fred.

Verified User

shanti

Verified User

v998

Verified User

Petertjuh360

Verified User

smtalk

Administrator

Petertjuh360

Verified User