Thursday, 4 July 2019

TLS Security NS 3.8

Little more than a week ago I posted about the Security Certs for NS 3.8. I was not aware at that time that NS 3.9 was already available (I was using a link provided for D/L of 3.8). Since there has been other bugs/problems, I thought to provide the actual results. The location of this Qualys Client Test is

https://www.ssllabs.com/ssltest/viewMyClient.html

Presuming the Certs are within NS 3.8, it would appear that the "weak" certs be removed for added security. I did not receive an answer to the question if the certs are tapped from the Distribution or the Browser. So, here are the results...


Protocols
TLS 1.3 No
TLS 1.2 Yes*
TLS 1.1 Yes*
TLS 1.0 Yes*
SSL 3 Yes*
SSL 2 No

Cipher Suites (in order of preference)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) WEAK 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) WEAK 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) -
(1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.

Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets Yes
OCSP stapling No
Signature algorithms SHA512/RSA, SHA512/DSA, SHA512/ECDSA, SHA384/RSA, SHA384/DSA, SHA384/ECDSA, SHA256/RSA, SHA256/DSA, SHA256/ECDSA, SHA224/RSA, SHA224/DSA, SHA224/ECDSA, SHA1/RSA, SHA1/DSA, SHA1/ECDSA
Named Groups secp256r1, secp521r1, brainpoolP512r1, brainpoolP384r1, secp384r1, brainpoolP256r1, secp256k1, sect571r1, sect571k1, sect409k1, sect409r1, sect283k1, sect283r1
Next Protocol Negotiation Yes
Application Layer Protocol Negotiation No
SSL 2 handshake compatibility No


Regards
Paul S. in CT
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)