[IMPORTANT] SSL/TLS - insecure/obsolete cipher removal

[Nekone]

As you are all aware by now, a server maintenance was conducted today to update the webserver and underlying TLS library that provides secure connectivity to our network of sites. Part of this upgrade, was the addition of support for the newly created TLS version 1.3. This new protocol version is supported by the latest versions of both Firefox and Chrome, and should already be enabled by default in those browsers, so if you're using the latest versions of either browser, you should now be using TLSv1.3 transparently.

 

However, with this change, we have to also make a change to some of the older ciphers we currently support on Kametsu. Right now, we maintain a relatively sane degree of backwards-compatibility to account for older browsers. Now that we have TLSv1.3 enabled, this has to be revised. We've already disabled support for TLSv1.0, and on December 16th, 2018 - we will be making the following changes to our supported TLS cipher suites/parameters:

 

1. Plain DHE (Diffie-Hellman Exchange)-based cipher suites will be completely disabled. We will only support ECDHE (Elliptic Curve Diffie-Hellman Exchange)-based suites. DHE is still relatively secure provided you use a decent-sized key, but its performance is generally lower than that of its EC-based counterpart especially with higher key sizes.
2. TLSv1.1 will be disabled, and TLSv1.2 will become the minimum supported.
3. The older Cipher Block Chaining (CBC) cipher suites will be depreciated and ultimately removed, in favor of the superior Galois/Counter Mode (GCM) cipher suites.

 

These changes, especially 2 and 3, will mostly impact users on older operating systems and/or those using older/obsolete browsers (such as Internet Explorer on anything other than Windows 10, for example). These users will likely see their ability to connect to the site disappear once these changes take effect. For those of you using older operating systems and/or browsers - I implore you to update your systems and/or your browsers to the latest available versions to ensure you are still able to connect to Kametsu without a problem.

 

If you have any concerns, please let me know. I do have a very busy work schedule so I can't always guarantee a timely response but I'll make every effort to respond to every concern raised regarding these upcoming changes.