FWIW I just implemented the cipher suites for B (broad compatibility) and got a higher score on the Qualys SSL Labs test (got A+ both times but higher score on secure ciphers second time). I think that B should be enough unless you want to really start locking down. I wouldn't go any higher than B on a public web server anyway. Andrew. -----Original Message----- From: Andrew Hodgson <andrew@hodgson.io> Sent: 05 January 2019 23:52 To: Blind sysadmins list <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Implementing Encryption with the OWASP Advanced+ Setup Hi, I would check you are using the correct SSL versions as well as the A+ needs TLS 1.2 with those ciphers so any other TLS version wouldn't work. You cannot make exceptions for specific clients as the handshake is done as the first step so the client isn't even identified. You can of course configure the strings in different servers differently. I think you may be able to get away with B now on web servers but if you are dealing with other protocols (especially IMAP/S and SMTP/S) I would set these to C. Which reminds me I need to check my own list as it is out of date. Andrew. -----Original Message----- From: David Mehler <dave.mehler@gmail.com> Sent: 05 January 2019 17:55 To: blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Implementing Encryption with the OWASP Advanced+ Setup Hello, I'm trying to update my server security. I'm wanting to implement the OWASP recommended Advanced+ setup. For reference that is: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet My client compatibility I thought was good, using firefox 57, chrome the latest I just updated it from ninite, and ie11 on win10, and Aquamail as an android client. My tls cipher suite I'm using for the advanced+ configuration is: DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 Having set this nothing is working, getting tls connection errors can not negotiate a compatible protocol or cipher. This tells me the protocols and ciphers are to restrictive, I was under the impression this should work. Does anyone have this implemented? Can you make exceptions for certain clients I'll go that way if I have to. The services I'm trying to get going are Apache v2.4, Postfix 3.3, and dovecot 2.3. My openssl version is 1.02q 20 NOV. 2018. Suggestions welcome. Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org