SSL Labs SSLTest gets a nice update

Discussion in 'other software & services' started by funkydude, Aug 3, 2013.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    The latest version of the SSL Test (v1.2.85) has expanded on the amount of virtualized browsers and operating systems, now including more browser versions, OSX, and even Fedora. On top of that Forward Secrecy has been properly merged into the test rather than just being a "bonus point".

    google.png

    Interesting to note is that Windows XP doesn't actually support modern cipher suites that use Forward Secrecy like ECDHE. A lot of software and "privacy fanatics" will be at risk due to this, having only older more vulnerable cipher suites to choose. Another reason for XP users to upgrade.

    Unsurprisingly Windows 8/8.1 has the best support for the newest ciphers like GCM_SHA256

    Also watch out using v12.xx of Opera or Firefox on Debian. Though I'm unsure why the Debian version of Firefox is worse off than the Windows 7 version.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Only if you use IE or Safari, they use TLS implementation of the OS. FF, Chrome and Opera(both old and new) don't.
    Yes, it seems other browser and OS's have some catching up to do, good job from MS. I remember IE being the last browser to still support vulnerable SSL 2.0 and now the roles seemed to have turned.

    Apparently Debian's fault, strange choice:
    Firefox and Chrome use NSS meaningless of the OS. However, some Linux distros ship a Firefox version which may have disabled ECC support, like Fedora or Red Hat Enterprise Linux.
    http://www.carbonwind.net/blog/post...rowsers-and-their-SSLTLS-implementations.aspx
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    That's true, but this statement seems to suggest that no browser on XP supports Forward Secrecy, or am I misinterpreting it?
    "Browsers that do not support Forward Secrecy are excluded when determining support for it."
    (The asterisk next to WinXP)

    Also keep in mind that other software that may communicates over SSL/TLS could be using the OS implementation.

    That is strange, thanks for the info.

    edit:

    Configuring Apache, Nginx, and OpenSSL for Forward Secrecy

    This blog entry goes quite in depth actually, I'll be linking it to a few people that weren't sure how to set it up.
     
    Last edited: Aug 7, 2013
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    I'm not sure, perhaps they mean IE on XP, but none of the other browsers are tested on XP, which might mean they excluded that because they don't have PFS support on XP. Unfortunately, I don't have access to an XP machine at the moment, so I can't check it myself.
    Good point, though I doubt many of them will uses the latest TLS protocols and FPS.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    I just installed XP in a VM and then I remembered this, so I installed Chrome in the VM, and it shows ECDHE_RSA being used for encrypted.google.com, I also installed FF but it doesn't display if it uses ECDHE, though all ciphers with ECDHE are enabled in about:config. The windows disc contained XP SP2 and I didn't update it yet, so even on an outdated XP machine, browsers can support Forward Secrecy if they use an SSL/TLS implementation independent of the OS.
     
  6. tlu

    tlu Guest

    That site is very useful. Unfortunately, it can only test web servers but not mail servers.

    So in order to test if your email server supports Forward Secrecy you have to execute, e.g.,

    Code:
    openssl s_client -cipher 'ECDH:DH' -connect pop.googlemail.com:995
    and

    Code:
    openssl s_client -cipher 'ECDH:DH' -connect smtp.googlemail.com:465
    or

    Code:
    openssl s_client -cipher 'ECDH:DH' -connect imap.googlemail.com:993
    If you get a ciphersuite that begins with DH or ECDH, PFE is supported.

    Another useful tool is sslscan which tests the SSL capabilities of a server.
     
    Last edited by a moderator: Aug 19, 2013
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    SSLTest has been updated to 1.3.6;
    The difference I see is that they expanded the handshake stimulation to include IE6 on XP, Java 6u45, Java 7u25, OpenSSL 0.9.8y and OpenSSL 1.0.1e.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
Loading...
Thread Status:
Not open for further replies.