Err:1 tor+https://deb.whonix.org bookworm-developers InRelease
Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
Reading package lists⌠Done
E: Failed to fetch tor+https://deb.whonix.org/dists/bookworm-developers/InRelease Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
E: Some index files failed to download. They have been ignored, or old ones used instead.
nginx ssl_stapling_file:
- How often ssl_stapling_file picks up an updated file?
- Re: How often ssl_stapling_file picks up an updated file?
Now hopefully fixed.
SSL_ERROR_RX_RECORD_TOO_LONG
Side note:
DHE suites not supported: This server doesnât support the Diffie-Hellman (DH) key exchange.
Since our certificate is based on ECDSA (Not RSA), we dont need DHE for PFS.
Although this owasp cheat sheet says to use DHE but it doesnt point out if you are using ECDSA vs RSA. Thus using ffdhe8192 (or lower variants) is only for backward compatibility were devices doesnât support elliptic curve and rely on DHE (which is something against the principle of keep it safe and updated) for connection.
cc @Patrick
OCSP deprecated upstream:
Therefore disabled:
Daniel Winzen (danwin) made a test on using X448 only for the server:
Result: It didnt work/connect, It shows Error code:SSL_ERROR_NO_CYPHER_OVERLAP = LulzSec
(investigation needed to know where is the issue)
But we know for sure that
sect571r1, sect571k1, secp521r1, brainpoolP512r1, sect409r1, sect409k1
This is not about post-quantum resistant or not, just best security practice.
For post quantum specifically:
There isnt real pure PQC used/supported yet by browsers, only hybrid one which is X25519+ML-KEM-768, This is not available in debian 12 nor in 13 due to lack the of OQS Provider package (unless git clone used of courseâŚ).
What can be done in my opinion:
- Keep x448, x25519
- Add sect571r1, sect571k1
- Remove the rest
By having this done we dont lose any preferred key while keeping best secure ones.
Any functional and recommended nginx ssl_ecdh_curve (or other) setting?
After further dig up and testing, x448 and x25591 are enough (doesnt matter which comes first):
ssl_ecdh_curve x448:x25519;
Note: Both browsers FF and Chromium based doesnt load x448 if used alone.
What left after this we wait until pure PQC becomes reality and supported by browsers and SSL libraries.
With this configuration, ssllabs will bug out.
HTTP request to this server failed, see below for details.
Strict Transport Security (HSTS) Unknown (failed HTTP request?)
No other changes. Reverted. ssllabs no longer bugging out.
Already been there a while agoâŚ
Yeah they are using old, not updated checker, compare that to another checkers like hardenizer or so, you wont find something wrong.
Unrelated to make the keys 100%, because even this checker is based on RSA calculations not ECC (there is no 4096 key size you can get from ECC).
No issues on hardenize indeed with that setting.
What do you mean by 100%? On ssllabs?
Doesnât seem very useful to me to chase 100% on unmaintained test website ssllabs.
The penalty being:
Strict Transport Security (HSTS) Unknown (failed HTTP request?)
This has more potential for FUD than the 90 vs 100% which is the norm.
SSL Server Test: goldhammer.se (Powered by Qualys SSL Labs) has âall 100%â, no HSTS error but
sect571r1, sect571k1, secp521r1, brainpoolP512r1, sect409r1, sect409k1, brainpoolP384r1, secp384r1 (server preferred order)
So forgetting about any unmaintained test websitesâŚ
What actual authoritative recommendations exist?
https://ssl-config.mozilla.org with choice âmodernâ (âbestâ) suggest:
ssl_ecdh_curve X25519:prime256v1:secp384r1;
Good?
In nixos/nginx: add ssl_ecdh_curve to recommendedTlsSettings, remove ssl_stapling by teutat3s ¡ Pull Request #428594 ¡ NixOS/nixpkgs ¡ GitHub it is currently being suggested the same as above:
ssl_ecdh_curve X25519:prime256v1:secp384r1;
Maybe dicuss im above ticket for wider input on best settings.
Yes in ssllabs, old software
Yeah forget about ssllabs, just broken.
Hes using old keys, everything in that website is RSA based. This can be considered the best before 15 years ago, not now.
Yep good, adding x448 wont harm as well.
Using that now.
When upgrading to trixie, add support to QUIC/HTTP3:
Make sure to disable 0-RTT in TLS:
Quote Support for QUIC and HTTP/3
To enable 0-RTT:
ssl_early_data on;
Quote Module ngx_http_ssl_module
Syntax: ssl_early_data on off;Default: ssl_early_data off; Context: http,serverThis directive appeared in version 1.15.3.
Enables or disables TLS 1.3 early data.
Since default is off, there is no further action required.
Based on the linkability issue of QUIC, it can be mitigated by:
- Disable RTT-0 (good not enabled by default)
- Make sure that
quic_active_connection_id_limit 2;(lowest) - Make sure to disable
quic_retry off;
Preferable for extra measurement:
ssl_session_cache off; Disable resumption cache
ssl_session_tickets off; Disable TLS 1.3 resumption tickets