This is for Apache (& I’m running Ubuntu 14.04) I had been previously running my OC setup on my Mac Mini and found this awesome post (LinkedIN walled) OR ( Google cached version ) outlining SSL security settings that worked quite well last year. Caveat that since this guys post came out Apple did up…

Just a few remarks: Such instructions are very helpful but only a recommendation at the time of writing. https://bettercrypto.org/static/applied-crypto-hardening.pdf gives advice on the cipher selection for a number of servers. Turning off TLS1.0 could be a problem on Android systems: SSL Initiali…

[image] tflidd: Turning off TLS1.0 could be a problem on Android systems: SSL Initialisation failed with Nextcloud Android It’s not exactly this! The problem is not with Android System, but with Android App, than need poor or bad ciphers to communicate with server NC; ciphers based on SSLv3,…

If you want a good configuration for your server, you just need to follow the mozilla ssl configuration generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/ coma. :wink:

@Guillaume : “Intermediate” mode run with app Androids … but it’s not safe and correct. “Modern” mode prevents that those applications work - there are can not connect to the server. And with mode “ultra”, only with ECDHE ciphers, bye-bye the app!

in fact, you are right … can’t believe this ! all the client should use TLSv1.2 and ECDHE, we should not have to do this kind of tricks …

[image] Guillaume: all the client should use TLSv1.2 and ECDHE, we should not have to do this kind of tricks … I tested and changed my original post. Was told +TLSv1.1 & TLSv1.2 aren’t supported by the nextcloud desktop client — only +TLSv1 and below atm. So I edited it to include +TLSv1. Th…

[image] cloud: all the client should use TLSv1.2 and ECDHE, we should not have to do this kind of tricks … @Guillaume it might also be a problem to rely on Mozilla since they are propagating 256 cipher and TLS1.2 only has 128 as mandatory, so see discussion here https://forums.bitfire.at/topi…

@Guillaume @HucSte @cloud as for Android there is also this: // http://developer.android.com/reference/javax/net/ssl/SSLSocket.html which defines which ciphers are available on which Android version (in general) and which are actually activated by default.

That’s the plan for the Nextcloud Box: [oparoz] Tighten SSL config by oparoz on 07:57PM - 27 Sep 16 1 commits changed 3 files with 18 additions and 35 deletions. As can be seen on the compatibility list, support for Android <4.4 wo…

Hello Olivier, I think that the TLS configuration must be a collegiale decision on the Nextcloud project. The server side is quite easy to configure, but all the client must be up-to-date with this configuration ! As far as I know, Android client is not working with ECDH only, MacOS is working on…

Settings for hardened TLS/SSL & A+ on SSLlabs (Apache ssl.conf file)

📑 How to

oparoz September 29, 2016, 6:31pm 15

Updated the issue with a default config and a recommended one.

Which TLS config is supported by the clients?