In 2015 web developers understand more about SSL than they ever have. If you read Hacker News you should know:
What about the rest? Here are answers to the most common questions from our customers:
Both these errors are related, but
ERR_SSL_VERSION_OR_CIPHER_MISMATCH has the more obvious fix: update your TLS/SSL versions and ciphers your server is configured to use.
If Chrome complains about:
connection is encrypted using an obsolete cipher suite
The fix is the same, the only difference is that this error doesn't show up in SSL Labs. You need to put GCM ciphers before CBC ciphers in your web server's config file.
Fixing either error is easy: the Mozilla SSL Config Generator shows the right config for most web servers. Update your config file, restart your web server and the problem will be resolved.
There's a good chance you have a bunch of files with the same names, belonging to different keypairs. If your web server tells you something like:
Error: Public Key Certificate and Private Key doesn't match
This means you've made multiple key pairs, and are trying to use the private key from one keypair with the certificate from another.
To check whether a certificate file matches a private key, check the modulus.
# Check the modulus of a certificate openssl x509 -noout -modulus -in example.com.crt | shasum -a 256 # Check the modulus of a key openssl rsa -noout -modulus -in example.com.key | shasum -a 256 # Check the modulus of a certificate request openssl req -noout -modulus -in example.com.csr | shasum -a 256
If the modulus is the same, the private key and certificate match: in other words, they belong to the same pair.
If the modulus is different, the files aren't part of the same pair and were created independently.
Use geolocation? WebRTC? Password and credit card forms? Current browsers need HTTPS for security-sensitive HTML5 features.
If you have an invalid https:// setup on localhost, you'll be spending way too much time clicking clicking through HTTPS warnings. The good news is you don't need to. Setting up a trusted localhost setup on your Mac only takes a few minutes.
1024 bit RSA is considered insecure. Nearly every website you visit uses 2048 bit RSA. So why not go the extra mile and get a 4096 bit RSA cert?
The answer is that the additional load can slow down the SSL handshake between browsers and your site. You can easily measure this in Chrome dev tools.
Additionally, as Geoffrey Thomas pointed out on Hacker News, your CA's intermediary certificate is likely to be a 2048 bit RSA cert. If you consider 2048 bit RSA to be insufficiently strong, the CA's 2048 bit intermediary cert could still be attacked and used to issue a fake certificate for your organization (HPKP aside).
If you're concerned about strength, try an ECDSA certificate instead of RSA. They're significicantly stronger while using less CPU than RSA - a 256 bit ECC key is equivalent to 3072 bit RSA.
ECC support in 2015 is surprisingly good: browsers from Windows Vista and up, OS X 10.9, Android 3 and iOS 7. The main issue is cloud providers: Heroku and AWS CloudFront don't yet support ECC.
There's a bunch of file formats related to PKI and SSL, but most server software these days uses just two:
You can flip between them easily:
# Convert PEM to PKCS12 openssl pkcs12 -export -inkey privatekey.pem -in cert.pem -certfile cacert.pem -out bundle.p12 # Convert PKCS12 file to PEM # (you can then chop the files up with a text editor) openssl pkcs12 -nodes -in bundle.p12 -out bundle.pem
Got any feedback or comments? Add them on the Hacker News thread!
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!