Trouble with forward secrecy

Hi,

I'm having trouble seeing site stats on Jetpack in my wordpress site. Wordpress tech help has suggested that it's something to do with forward secrecy or not having installed SSL properly. I have tried re-installing Jetpack on my website which didn't help so I am assuming the problem is here.

My domain is: stephaniehoathlete.com.au

Any help would be much appreciated.

Thanks!
Stephanie

2 Likes

Welcome to the Let's Encrypt Community, Stephanie :slightly_smiling_face:

Some of your key exchange mechanisms are weak and may not provide perfect forward secrecy. You will want to update your list of accepted ciphers in your Apache webserver configuration.

2 Likes

Your Apache server configuration has no applied cipher preference order; use:
SSLHonorCipherOrder On

You might also take a look at setting:
ProtocolsHonorOrder On

1 Like

Depending on the cipher suites configured, this is (with a relatively modern cipher suite list) discouraged by Mozilla actually:

The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
(https://wiki.mozilla.org/Security/Server_Side_TLS)

1 Like

If you only include ciphers that pass all your tests, their choice results would be "equally" secure.
But there is always that one cipher that gets included because one device can't do anything "secure".
And thus if you don't maintain order, then any device could potentially use that "insecure" cipher (not just those that can't do anything better).
[I leave nothing to chance and leave absolutely nothing to be secured by others]

1 Like

By "having trouble seeing site stats", did you mean that Jetpack doesn't seem to collect the stats properly, or that you get a browser error when you try to view the stats, or something else? I'm just trying to understand what the WordPress support people might be referring to.

The other advice in this thread is potentially helpful, but I don't immediately understand how it would relate to the advice you got from WordPress support.

Also, I think your project may be the most challenging one for which anyone has ever used a Let's Encrypt certificate ... not the web site, but the underlying project!

2 Likes

The jetpack homepage just comes up as blank. I have tried deleting and reinstalling but that hasn't changed anything.

Do you know if that was the case before you had your certificate?

Do you have access to any server logs that could show if there's an error on the server side?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.