Weak ciphers in ssllabs
86 views
Skip to first unread message
Daniel Schröter
Mar 15, 2025, 12:18:27 PMMar 15
to BigBlueButton-dev
Hello,
a normal BBB installation results on grade A on ssllabs with weak ciphers activated. Those weak ciphers are not used by any (popular) client.
Are there any reasons why they are turned on?
If you implement the ssl config from the ssl-config tool from mozilla (which is mentioned in haproxy.cfg)
https://ssl-config.mozilla.org/#server=haproxy&version=2.4.24&config=intermediate&openssl=3.4.2&guideline=5.7
this turns weak ciphers off and in handshake simulation all important clients can still connect. The following veeeery old clients could not connect anymore
IE 11 / Win Phone 8.1
Safari 6 / iOS 6.0.1
Safari 7 / iOS 7.1
Safari 7 / OS X 10.9
Safari 8 / iOS 8.4
Safari 8 / OS X 10.10
Yes, I could set myself
a normal BBB installation results on grade A on ssllabs with weak ciphers activated. Those weak ciphers are not used by any (popular) client.
Are there any reasons why they are turned on?
If you implement the ssl config from the ssl-config tool from mozilla (which is mentioned in haproxy.cfg)
https://ssl-config.mozilla.org/#server=haproxy&version=2.4.24&config=intermediate&openssl=3.4.2&guideline=5.7
this turns weak ciphers off and in handshake simulation all important clients can still connect. The following veeeery old clients could not connect anymore
IE 11 / Win Phone 8.1
Safari 6 / iOS 6.0.1
Safari 7 / iOS 7.1
Safari 7 / OS X 10.9
Safari 8 / iOS 8.4
Safari 8 / OS X 10.10
Yes, I could set myself
ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
in haproxy.cfg but it gets overwritten every time by bbb-install
https://github.com/bigbluebutton/bbb-install/blob/v3.0.x-release/bbb-install.sh#L744
Can you modify the default configuration or is it really necessary to support this old clients?
Thanks!
Anton Georgiev
Mar 21, 2025, 2:30:46 PMMar 21
to BigBlueButton-dev
Hi Daniel,
You raise a good point!
Indeed, we don't support such old browsers in BBB. For example BBB 2.7 states that Safari's version should be at least 12. In BBB 3.0 we are likely going to bump it to 16 due to some libraries' support.
About bbb-install -- based on an internal discussion what you are suggesting makes sense. Just wondering - would you be interested in contributing this change to bbb-install?
Anton
Daniel Schröter
Mar 22, 2025, 2:34:19 PMMar 22
to BigBlueButton-dev
Anton Georgiev schrieb am Freitag, 21. März 2025 um 19:30:46 UTC+1:
would you be interested in contributing this change to bbb-install?
I can provide a PR but I'm not going to sign a letter with my physical mailing address. So you have to patch it yourself ;-)
I can provide a normal patch file but I'm sure you can modify this two lines yourself.
Thanks!
Daniel Schröter
May 13, 2025, 6:39:44 AMMay 13
to BigBlueButton-dev
So that it is not forgotten I have created an issue
Reply all
Reply to author
Forward
0 new messages