So, some time ago I had to admit that I needed TLSv1, well time marches on, and I started to look at SSL settings again (largely because my SSL certificate expired, and I needed to replace it, so why not review the SSL settings).
So a while back I updated my blog's software and at the time it broke the themes. It turned out this was due to the new version of Roller not detecting that my blog is behind ssl and so the css wasn't being loaded by my browser. It was a fairly straight forward fix (a single setting to force the blog to treat all links as being behind ssl).
Having fixed that I could use any of the built in themes (plus a number of extra themes you can download). However I was never terribly happy with how my blog, and my website just didn't go together. With that in mind I decided to edit one of the simpler themes, and make it look more like my website (given my rather poor design skills this was probably a mistake, but meh). This ended up being a lot easier than I expected it to be.
So welcome to my new look blog, as shocking as it looks.
So, I use Apache Roller as the application my blog runs on. A new version of this has come out (I was on 5.0 and 5.1 has been released) so I decided to upgrade.
This has resulted in the theme I was using breaking, badly, so I have had to move to the basic theme. I can't be bothered to tweak that right now, but I don't like it much either, so I am going to have too eventually. It also appears to have broken rss feeds, such that if you do follow my blog with an rss reader you get all my blog entries again (or at least it does in tiny tiny rss) so sorry about that.
Worse than all that however is the fact that I decided to take this opportunity to update to openjdk-7 (from openjdk-6) and tomcat 7 (from tomcat 6). The server this blog is running on used to be Debian 6, but was dist-upgraded to Debian 7 (which went terribly smoothly at the time) and the older versions of java and tomcat were left over from that. This process was far more laborious than it should have been, largely due to me having forgotten all the steps I had taken to get Roller working on tomcat 6 in the first place (the java upgrade was painless mind, so I did that bit right at least).
It's a good job I'm not getting paid for looking after this server, I'm apparently not doing a very good job of it.
So following my work on fixing CVE-2014-4566 on my website, it turned out that I do indeed need to use lower versions of TLS than 1.2 a revelation that is a little embarrassing to admit. So I have been doing a little playing with the settings, and have tweaked the cipher suite to support TLSv1 TLSv1.1 and TLSv1.2 and only ciphers with forward secrecy.
So another day, another web security vulnerability. Once again a problem on the internet has prompted me to fix something on my home server, in this case the SSLv3 vulnerabilty that has been given the name "POODLE" (seriously who comes up with these names) and it has reminded me that the SSL settings on my server are woefully inadequate.
Given my site is just a personal site I figure there is no real reason to stay with SSLv3 as I don't much care about IE6 users. In fact, the stuff I use it for supports TLSv1.2 so I may as well stick to that, and the older protocols be damned. This does break a large number of older, and mobile clients. But that is their problem.
It's also a good time to play with different cipher suite orders. So I've removed all but those that support forward secrecy (again, this will break stuff, but not the stuff I use so I don't much care).
Obviously the choices I have made here are made in the absence of any pragmatic need to support legacy systems, but that is the beauty of having a personal site rather than a commercial one.