SSL Implementation soon...

Announcements related to BNT and the BlackNova.net site.

User avatar
TheMightyDude
Site Admin
Posts: 247
Joined: Thu Apr 17, 2014 9:15 am

Re: SSL Implementation soon...

Post by TheMightyDude » Sat Jul 30, 2016 8:30 pm

thekabal wrote:
TheMightyDude wrote: So the only issues is that Android 2.3.7, IE 6, IE 8 / XP and Java 6u45 won't be able to access the site, so no loss there then LOL.
Truth. While BNT is definitely an "old-school" game, people need to run browsers less than 5 years old (IE9). I mean, that isn't an unreasonable requirement at all. They are literally unsafe using browsers that old, so it is more of a public service than anything else.

On the TKI side, I'm anxiously awaiting the release of PHP-7.1, we are going to require it so we can get void return types. I am absolutely shocked at how many errors were in the game from loose typing and assumptions about what type some variables were. Its an unreasonable requirement to be sure, but I'd rather be ahead of most and squash the bugs now. That way when everyone else (hosting companies, etc) catch up, the game is ready and solid.
Well I can understand the IE versions on XP due to there are a fair amount of people that are still refusing to budge from XP, but Android 2.3.7 who is still using that version, like my phone is very old and that runs Android 4.1.2 so 2.3.7 must really be old LOL, now Java 6u45 there is no excuses, Java is free and has had loads of updates since then.

As for the code with errors, hell yeah, the code that I use to run on the last server just plain refuses to run on here, I did finally manage to get it to start up after loads of code changes etc, but I wouldn't run that code due to there is probably loads more errors that I haven't seen yet.

I thought PHP already had void returns, i.e. a function that returns from a function with no value.
Or is this something else completely ?
Its been well over a year since I have even touched PHP, so I am having to start learning this stuff again :(

But yeah, I agree you need to plan ahead, but I think it will be a very long time for even version 7 to be as standard on the Ubuntu LTS version, which is currently running I think v5.5.9 of PHP.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

User avatar
TheMightyDude
Site Admin
Posts: 247
Joined: Thu Apr 17, 2014 9:15 am

Re: SSL Implementation soon...

Post by TheMightyDude » Sun Jul 31, 2016 1:13 pm

Ok, I just noticed that other link: https://cipherli.st/ Now how I missed that link I don't know.

So I used parts of their version:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
And added two more parts to the above to result in the following:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH+SHA:AES128+EDH+SHA
So the above line is 1/6 the size of what I was using before, but my old version was more specific and hardcoded the exact required ones, where as the above wildcard version seems to use the same, however it might have others that wasn't listed in the tests, but at least its shorter :)

This is what each Suites provide in that test:
[EECDH+AESGCM] <== All EECDH with AES + GCM
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 	(0xc030)	ECDH secp256r1 (eq. 3072 bits RSA)   FS  256 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 	(0xc02f)	ECDH secp256r1 (eq. 3072 bits RSA)   FS  128 

[EDH+AESGCM] <== All EDH with AES + GCM
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 	(0x9f)		DH 4096 bits   FS  256 
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 	(0x9e)		DH 4096 bits   FS  128 

[AES256+EECDH] <== All AES256 part of EECDH
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 	(0xc030)	ECDH secp256r1 (eq. 3072 bits RSA)   FS  256 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 	(0xc028)	ECDH secp256r1 (eq. 3072 bits RSA)   FS  256 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 	(0xc014)	ECDH secp256r1 (eq. 3072 bits RSA)   FS  256 

[AES256+EDH] <== All AES256 part of EDH
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 	(0x9f)   	DH 4096 bits   FS  256 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 	(0x6b)   	DH 4096 bits   FS  256 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 	(0x39)   	DH 4096 bits   FS  256


These last two was to resolve the issues with it displaying Server sent fatal alert: handshake_failure, my OCD kicked in and I just had to resolve those issues without loosing any security, I could support those devices on this server due to they are old and don't support Server Name Indication (SNI) and you need to use SNI when you use multiple domains and SSL Certs.
[AES128+EECDH+SHA] <== All AES128 part of EECDH with SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 	(0xc013)	ECDH secp256r1 (eq. 3072 bits RSA)   FS  128 

[AES128+EDH+SHA] <== All AES128 part of EDH with SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 	(0x33)		DH 4096 bits   FS  128
So I think I will leave it as that before I break something :roll:

But good call on those sites, I was unaware of the SSLv3 issues etc.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

thekabal
Posts: 92
Joined: Sat Apr 19, 2014 10:32 pm

Re: SSL Implementation soon...

Post by thekabal » Sun Jul 31, 2016 1:34 pm

TheMightyDude wrote: Well I can understand the IE versions on XP due to there are a fair amount of people that are still refusing to budge from XP, but Android 2.3.7 who is still using that version, like my phone is very old and that runs Android 4.1.2 so 2.3.7 must really be old LOL, now Java 6u45 there is no excuses, Java is free and has had loads of updates since then.
I was going to make a snarky comment about XP, but it looks like you are right! 10% usage share is insane. It is a 15 year old operating system! C'mon people!

The Java, oddly, I have an explanation for. Many servers (HP & Dell) have iDrac and iLo panels that will not run with the latest Java. The net result is that some admins keep a VM or machine that still runs an old Java so they can do management of their servers. They shouldn't be browsing in general with that, but people can make bad choices. ;)
TheMightyDude wrote:I thought PHP already had void returns, i.e. a function that returns from a function with no value.
Or is this something else completely ?
Its been well over a year since I have even touched PHP, so I am having to start learning this stuff again :(
I wasn't terribly clear. PHP 7.0 added the concept of strongly-typed return types. Void was missing from the list, which prevents a good number of our methods/functions from being able to be documented. Here is the RFC (accepted and implemented in PHP 7.1) for void return types.
TheMightyDude wrote:But yeah, I agree you need to plan ahead, but I think it will be a very long time for even version 7 to be as standard on the Ubuntu LTS version, which is currently running I think v5.5.9 of PHP.
Thankfully, Ubuntu 16.04 (the most recent LTS version) includes PHP 7.0 by default!

PHP 7.1 will indeed be a very long way off. I'd guess probably something like two or three years before it is commonly available. That isn't to say it can't be installed and run on a host, and I'm 100% OK with having strong requirements to be able to run the game. I won't force the requirement to 7.1 in TKI until I have a supportable way to install (repo, ppa, etc) PHP 7.1 on BOTH CentOS 7 and Ubuntu. My hosting provider for kabal-invasion is on CentOS 7. My desktop is currently running Ubuntu, oddly enough. It was the only one that could get my Radeon R9 390 working correctly. I hoped that Fedora would, as its my favorite, but the last two releases still crash for my card. :(

Soon, I'd guess probably by October, there will be repos and/or versions of the O/S with PHP-7.1, and that is when I'll add the strict typing for returns including voids, pushing TKI to 7.1. But not until both (CentOS7 and Ubuntu) have a way to do it. I won't struggle with maintaining my systems and/or having massive differences between dev and prod.

User avatar
TheMightyDude
Site Admin
Posts: 247
Joined: Thu Apr 17, 2014 9:15 am

Re: SSL Implementation soon...

Post by TheMightyDude » Sat Aug 17, 2019 11:05 pm

Just a quick update...
I have updated the SSLCipherSuite and Protocols used on our server due to loads have now become weak.
So the server will now use the following Ciphers:

    0x13,0x02 - TLS_AES_256_GCM_SHA384          TLSv1.3 Kx=any     Au=any    Enc=AESGCM(256)
    0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256    TLSv1.3 Kx=any     Au=any    Enc=CHACHA20/POLY1305(256)
    0x13,0x01 - TLS_AES_128_GCM_SHA256          TLSv1.3 Kx=any     Au=any    Enc=AESGCM(128)
    0x00,0xA2 - DHE-DSS-AES128-GCM-SHA256       TLSv1.2 Kx=DH      Au=DSS    Enc=AESGCM(128)
    0x00,0xA3 - DHE-DSS-AES256-GCM-SHA384       TLSv1.2 Kx=DH      Au=DSS    Enc=AESGCM(256)
    0xC0,0xA2 - DHE-RSA-AES128-CCM8             TLSv1.2 Kx=DH      Au=RSA    Enc=AESCCM8(128)
    0x00,0x9E - DHE-RSA-AES128-GCM-SHA256       TLSv1.2 Kx=DH      Au=RSA    Enc=AESGCM(128)
    0xC0,0xA3 - DHE-RSA-AES256-CCM8             TLSv1.2 Kx=DH      Au=RSA    Enc=AESCCM8(256)
    0x00,0x9F - DHE-RSA-AES256-GCM-SHA384       TLSv1.2 Kx=DH      Au=RSA    Enc=AESGCM(256)
    0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305       TLSv1.2 Kx=DH      Au=RSA    Enc=CHACHA20/POLY1305(256)
    0xC0,0xAE - ECDHE-ECDSA-AES128-CCM8         TLSv1.2 Kx=ECDH    Au=ECDSA  Enc=AESCCM8(128)
    0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2 Kx=ECDH    Au=ECDSA  Enc=AESGCM(128)
    0xC0,0xAF - ECDHE-ECDSA-AES256-CCM8         TLSv1.2 Kx=ECDH    Au=ECDSA  Enc=AESCCM8(256)
    0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2 Kx=ECDH    Au=ECDSA  Enc=AESGCM(256)
    0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2 Kx=ECDH    Au=ECDSA  Enc=CHACHA20/POLY1305(256)
    0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2 Kx=ECDH    Au=RSA    Enc=AESGCM(128)
    0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2 Kx=ECDH    Au=RSA    Enc=AESGCM(256)
    0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2 Kx=ECDH    Au=RSA    Enc=CHACHA20/POLY1305(256)

Ciphers marked in Yellow are available, just not used as yet due to it requires TLSv1.3, the green ones are what is being used, I have only been able to see it use the light green Ciphers, its the same with the checks / tests.

Sadly this has resulted in several old devices not supporting these new Cipher and especially the Protocol changes.
Sorry to say good bye to our Window Users running IE versions lower than 11, Window users running IE 11 and above will still be able to access our site.

So we are now using only Protocol TLSv1.2, we have some Ciphers from TLSv1.3 but due to our version of Apache (Web Server) not being the latest we are unable at this time to support TLSv1.3.
More infor to be added later on.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

Post Reply