Trouble with forward secrecy

moonlightguardian · December 16, 2020, 7:25am

Hi,

I'm having trouble seeing site stats on Jetpack in my wordpress site. Wordpress tech help has suggested that it's something to do with forward secrecy or not having installed SSL properly. I have tried re-installing Jetpack on my website which didn't help so I am assuming the problem is here.

My domain is: stephaniehoathlete.com.au

Any help would be much appreciated.

Thanks!
Stephanie

griffin · December 16, 2020, 8:42am

Welcome to the Let's Encrypt Community, Stephanie

Some of your key exchange mechanisms are weak and may not provide perfect forward secrecy. You will want to update your list of accepted ciphers in your Apache webserver configuration.

rg305 · December 16, 2020, 11:04am

Your Apache server configuration has no applied cipher preference order; use:
SSLHonorCipherOrder On

You might also take a look at setting:
ProtocolsHonorOrder On

Osiris · December 16, 2020, 12:05pm

Depending on the cipher suites configured, this is (with a relatively modern cipher suite list) discouraged by Mozilla actually:

The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
(https://wiki.mozilla.org/Security/Server_Side_TLS)

rg305 · December 16, 2020, 12:10pm

If you only include ciphers that pass all your tests, their choice results would be "equally" secure.
But there is always that one cipher that gets included because one device can't do anything "secure".
And thus if you don't maintain order, then any device could potentially use that "insecure" cipher (not just those that can't do anything better).
[I leave nothing to chance and leave absolutely nothing to be secured by others]

schoen · December 17, 2020, 8:37pm

By "having trouble seeing site stats", did you mean that Jetpack doesn't seem to collect the stats properly, or that you get a browser error when you try to view the stats, or something else? I'm just trying to understand what the WordPress support people might be referring to.

The other advice in this thread is potentially helpful, but I don't immediately understand how it would relate to the advice you got from WordPress support.

Also, I think your project may be the most challenging one for which anyone has ever used a Let's Encrypt certificate ... not the web site, but the underlying project!

moonlightguardian · December 19, 2020, 7:59am

The jetpack homepage just comes up as blank. I have tried deleting and reinstalling but that hasn't changed anything.

schoen · December 19, 2020, 8:13pm

Do you know if that was the case before you had your certificate?

Do you have access to any server logs that could show if there's an error on the server side?