So you've installed your certificate, it doesn't use SHA1, your preferred cipher suites use forward secrecy, RC4 is disabled and your site gets an 'A' rating in the SSL Labs handshake test.
Then someone visits your site in Chrome and notices the following:
Your connection to example.com is encrypted with obsolete cryptography.
“Your connection to example.com is encrypted with obsolete cryptography” means that the connection to the current website is using an outdated cipher suite.
In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
OpenSSL doesn't support CHACHA20_POLY1305 yet so we're going to focus on AES-GCM for now.
GCM is a block cipher mode. The are other, weaker, block cipher modes:
Here's something important: OpenSSL doesn't use the IANA standard cipher suite names that Google uses: what openssl calls
AES256-SHA is what the rest of the industry calls
TLS_RSA_WITH_AES_256_CBC_SHA. In other words:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256mentioned by Google above is called
So, to fix the warning:
In most cases you shouldn't need to do this yourself:
For node.js: we've added these defaults to the next version of node. You can grab the cipher list from that commit today and use it on existing node or iojs apps to fix the warning.
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!