Configuring Older Cipher Suite Support for Servers - Mozilla TLS Config

I’ve just in the last 2 days installed https using letsencrypt following the recipe at meta.discourse.org and it works fine for browsers, and I get an A+ rating on ssllabs.

But I have a client with support only for ancient ciphers.

So, how can I enable TLS_DHE_RSA_WITH_AES_256_CBC_SHA which is actually enabled for TLS 1.0 for this site https://community.letsencrypt.org/ as per the SSLLABS report

Hi @gchiu,

I would suggest using

https://mozilla.github.io/server-side-tls/ssl-config-generator/

You can then find the corresponding configuration lines in your web server configuration files and change them to those that the Mozilla generator suggested to you. In particular, if you choose “Old” instead of “Intermediate”, it will generate a configuration that will work with older clients. (The configuration that you have now is probably your web server’s default for HTTPS; unless I misread something in that recipe, I don’t believe that the recipe actually changed the defaults when enabling HTTPS.)

What values are you using on this site for

I’m hoping that if I have the same on my discourse site I should then be okay.

I think this site is using to the default Discourse HTTPS configuration, but I’m not sure of that (maybe @jsha knows). The Mozilla configuration generator is likely to be a source of good advice, though: they’ve carefully researched exactly what client versions you’ll achieve compatibility with by taking their recommendations.

I also used the defaults for my discourse site but I only have 2 cipher suites for TLS 1.0 and your site has 4 so was wondering if the setting in the web.ssl.template.yml file were different to account for that.

We don’t directly manage the TLS config for this Discourse instance. We use Discourse’s hosted service.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.