AnsweredAssumed Answered

Possible ADH false positives?

Question asked by Rich Lafferty on Aug 19, 2013
Latest reply on Aug 19, 2013 by Rich Lafferty

Hey all,

 

I'm confused. I was doing a quick audit of our SSL configs, after I noticed we'd inadvertently excludes TLSv1.2. Anyhow, I'm now getting failing SSL Labs test results (F!) because it claims I support anonymous DH ciphers:

 

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

 

https://www.ssllabs.com/ssltest/analyze.html?d=secure.freshbooks.com

 

But I've configured nginx like so:

 

    ssl_ciphers RC4-SHA:HIGH:!ADH;

    ssl_prefer_server_ciphers   on;

 

(Nevermind the RC4 vs. BEAST issue for now.)

 

When I test all of the ADH ciphers with OpenSSL s_client, none succeed:

 

Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)

Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)

Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)

Testing ADH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)

Testing ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)

Testing EXP-ADH-DES-CBC-SHA...NO (sslv3 alert handshake failure)

Testing ADH-RC4-MD5...NO (sslv3 alert handshake failure)

Testing EXP-ADH-RC4-MD5...NO (sslv3 alert handshake failure)

 

I could use a second set of eyes here. Does secure.freshbooks.com permit ADH or not?

 

Thanks!

Outcomes