Skip to content

Instantly share code, notes, and snippets.

@Synchro
Last active August 10, 2016 10:16
Show Gist options
  • Save Synchro/85fa87758bf7804d0131c74c574138f3 to your computer and use it in GitHub Desktop.
Save Synchro/85fa87758bf7804d0131c74c574138f3 to your computer and use it in GitHub Desktop.
better.fyi cipher issue

Chrome 54 cipher list (from https://www.ssllabs.com/ssltest/viewMyClient.html):

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   Forward Secrecy	256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   Forward Secrecy	256
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   Forward Secrecy	256
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   Forward Secrecy	256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy	256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy	256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)	128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)	256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

Ciphers offered by better.fyi (from a testssl.sh scan):

 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM    256
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 521   AES       256
 xc014   ECDHE-RSA-AES256-SHA              ECDH 521   AES       256
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM    256
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES       256
 x39     DHE-RSA-AES256-SHA                DH 2048    AES       256
 x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia  256
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 521   AESGCM    128
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 521   AES       128
 xc013   ECDHE-RSA-AES128-SHA              ECDH 521   AES       128
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM    128
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES       128
 x33     DHE-RSA-AES128-SHA                DH 2048    AES       128
 x9a     DHE-RSA-SEED-SHA                  DH 2048    SEED      128
 x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia  128

The problem occurs because they do not have any ciphers in common (compare the hex codes). better.fyi should add some ciphers to the ssl_ciphers list in nginx, especially ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256, which will bring back Chrome compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment