Forum

Hi,

I'm using SSleuth, a firefox addon that ranks an established SSL connection to estimate the connection strength. It also gives a brief summary of the important SSL connection parameters:
https://addons.mozilla.org/en-US/firefox/addon/ssleuth/
https://github.com/sibiantony/ssleuth

Only minor issue it shows with my hiawatha webserver is the used HMAC algorithm: SHA-1
I wonder if I can use SHA-256, too?

PS: It's the same for this webserver here. See the screenshot:


Hiawatha version: 9.7
Operating System: Debian

Greetings

Looks like SSL needs AES128 in order to use SHA256 and Firefox does not like SHA384. Change ciphersuites_tls12[] at line 82 in src/ssl.c to

static int ciphersuites_tls12[] = {
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
    TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
    0
};

This gave me a one point higher SSLeuth score.

So is this actually a Firefox issue? Do other browser support AES256 with SHA384? Sadly I have no idea how to check this in Chrome

It's not a big issue. I've fixed this for v9.9. Hiawatha and Firefox will then use AES128 with SHA256 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256), which will result in an 8.8 score.