-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for TLS 1.3 #46
Comments
Hello! It's currently not possible. I'm tied to OpenSSL 1.0.x to support old/deprecated ciphers like SSLv2 or RC4, but 1.2.x is required for TLSv1.3 which remove all deprecated world support with no way to reactivate it at build time. And there is no simple way to use 2 differents OpenSSL binding on the same ruby setup (OpenSSL support is built-in in Ruby core extension…). I currently working on a pure ruby SSL/TLS stack to support both of the oldest and newest ciphers. But it's quite a long job to fully reimplement TLS 🤣 |
Needs to be updated as seen here: https://www.openssl.org/source/ And because `cryptcheck` requires `openssl 1.0.x` as seen here: aeris#46 (comment)
Needs to be updated as seen here: https://www.openssl.org/source/ And because `cryptcheck` requires `openssl 1.0.x` as seen here: #46 (comment)
@aeris Hello! Are you still working on |
o/ here. |
@aeris - Have you looked any further into expanding the cypher's for TLSv1.3 ? Reason I am asking is because after implementing SSL configs under Apache and checking with SSL Labs, I am getting an A+ grade with them. However, your site is only giving an E grade, If you need more specifics, please ask. |
Currently it's not at all possible. Supporting SSL and other broken TLS cipher supposed OpenSSL 1.0 or lower and TLSv1.3 OpenSSL 1.1 or better.
I bet this |
Ok thank you for your quick reply. Regarding checking the .json API I can't do that, as I have not integrated your code myself; it has been implemented by SEARXNG and is now giving unreliable TLS grades. You can see many users have their own instances here https://searx.space/ An example instance is search.trom.tf where the TLS grade has only an E but SSL Labs is reporting back an A+ |
With |
Thanks. I checked my particular URL and it returns: - {"dh":false,"pfs":false,"rsa":false,"tlsv1_0":false,"tlsv1_1":false},"great":{"hsts":true},"warning":{"dhe":true,"hsts":false,"sha1":true},"critical":{"dh":false,"des":false,"dss":false,"md5":false,"rc4":false,"rsa":false,"null":false,"sslv2":false,"sslv3":false,"export":false,"sweet32":false,"md2_sign":false,"md4_sign":false,"md5_sign":false,"sha_sign":false,"anonymous":false,"mdc2_sign":false,"sha1_sign":false}} |
So the same, support for DHE & SHA1 cipher suite. |
My Apache2 SSL config now has: SSLCipherSuite !DH:EECDH+AESGCM:EDH+AESGCM:AES256+EDH This has resulted in A+ grades at your site and also SSL Labs. Thanks for your help, appreciated. |
I advice you a simple cipher suite : |
How about dropping support for old stuff and adding it for tls 1.3, just label any support for old stuff as a fail 😁 |
Because dropping support for old stuff is also not being able to detect it 🤣 |
Hi, thanks a lot for your work. It would be nice if cryptcheck could support TLS 1.3.
The text was updated successfully, but these errors were encountered: