[Qgis-developer] Certificate update QGIS servers

Alex Mandel tech_dev at wildintellect.com
Thu Aug 6 21:10:27 PDT 2015


On 08/06/2015 09:51 AM, Alex Mandel wrote:
> On 08/06/2015 03:29 AM, Richard Duivenvoorde wrote:
>> Hi,
>>
>> FYI we updated the certificates for
>> hub.qgis.org
>> plugins.qgis.org
>>
>> While I was pretty sure we scored an A on
>> https://www.ssllabs.com/ssltest/index.html
>>
>> Now hub (on osgeo) scores a C, while plugins (qgis2) still scores an A...
>> both apache servers share the same config (but different versions of Apache)
>>
> 
> Are you sure it's the same config? It might be just a few extra ciphers
> in the SSL config that should be disabled for known security reasons.
> The SSL lab test usually tells you exactly why you scored low.
> 

Looking at the report I am correct, it's just some tweaks to be made to
the SSL config on apache. The newer sites don't have this issue because
the defaults on newer Debian versions are safer.

"
This server supports weak Diffie-Hellman (DH) key exchange parameters.
Grade capped to B.   MORE INFO »
The server supports only older protocols, but not the current best TLS
1.2. Grade capped to C.  MORE INFO »
The server does not support Forward Secrecy with the reference browsers.
 MORE INFO »
"


I'll try to make some fixes to it this weekend.

-Alex


More information about the Qgis-developer mailing list