Protected Interface

The subdirectories of this domain area are password-protected, using secure credential-transport. Details of the security considerations taken on {control.,git.,} follow. A prettified and colourised report can be found on Qualys' Labs wonderful on-line testing tool. 4096-bit Diffie-Hellman parameters are used for key-agreement, and elliptic-curve cryptography is also employed with N.I.S.T. 384-bit prime fields (7680-bit R.S.A., secp384r1).

Certificate Breakdown

Local Certificate: #1

Alternate Names
Key (Exponent) R.S.A. 4096-bit (65537): SHA256withRSA
Serial No. 04dacd147e411479e21d16aa844f96617ba9
Issuer Let's Encrypt Authority X3
Fingerprint 084bcc134c902c8c179315fa9ca2850445a3874ed8b2ab52ee8cdfb671f5f4b6

Sub-Root Public Signing Certificate: #2

Subject Let's Encrypt Authority X3
Alternate Names Signing Certificate; Not Applicable
Key (Exponent) R.S.A. 2048-bit (65537): SHA256withRSA
Serial No. Non-Unique Signing Certificate; Not Applicable
Issuer DST Root CA X3
Fingerprint 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d

Root Public Signing Certificate

Subject DST Root CA X3
Alternate Names Signing Certificate; Not Applicable
Key (Exponent) R.S.A. 2048-bit (65537): SHA1withRSA
Serial No. Non-Unique Signing Certificate; Not Applicable
Issuer Absolute Root (IdenTrust); Not Applicable
Fingerprint 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739

Supported Encipherment Methods and Protocols

T.L.S. versions 1.2 and 1.3 are supported on this server, with a H.S.T.S. maximum time of six months. Below are the permitted encipherment methods, as specified in Lighttpd, supported on SUUGAKU.CO.UK and all of its sub-domains. Trivially insecure methods have been disabled, and clients will usually select the protocol offering the greatest security.

Permitted Cipher Suites

The following list is the recommended standard for maximum security on a decent number of platforms and systems. Further information can be found here.

$ openssl ciphers 'EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH' | tr ':' '\n'

The TLS_AES_128_GCM_SHA256 Problem

Although SSL Labs penalises the use of the TLS_AES_128_GCM_SHA256 T.L.S. 1.3-only cipher, R.F.C. 8446 Section 9.1 states that this particular cipher must be implemented on standards-compliant servers. Additionally, the concerned cipher cannot be removed from the OpenSSL cipher-specification string without a full recompilation of OpenSSL, patching the mandatory T.L.S. 1.3 cipher suites in ssl.h. Because of this, some 128-bit ciphers are supported on this website, although the vast majority of modern browsers will select their 256-bit counterparts for perfect forward secrecy. This quirk is generally perceived as an issue with Qualys' SSL Labs tool, and will likely be rectified while the aforementioned R.F.C. remains current.

Update. With new versions of OpenSSL, it is possible to modify the cipher suites string without recompiling, via the configuration file. Providing !AES128 is then specified in the web daemon's configuration, SSL Labs will award 100% for every category. However, this solution is not generally used on SUUGAKU.CO.UK, as it breaks compatibility with the R.F.C. standard.

O.C.S.P. Stapling

As many browsers will now fetch O.C.S.P. information directly from the C.A.'s servers unless instructed otherwise, a new privacy concern arises. Although the C.A. of SUUGAKU.CO.UK (Let's Encrypt) has a privacy policy which does not capture individually identifying information on O.C.S.P. requests, in order to reduce load on remote servers, SUUGAKU.CO.UK caches the information and delivers it to browsers itself. The O.C.S.P. resultant payload can be reviewed on Linux systems with a simple OpenSSL invocation:

openssl s_client -connect -tls1_3 -tlsextdebug -status 2> /dev/null |
    sed -n -e '/OCSP Response Data/,/==/ p'

Unfortunately, due to a lack of Postfix support, O.C.S.P. stapling is not available on the SUUGAKU.CO.UK mailing services. Moreover, the Postfix authors are adamant that stapling support will not be appearing any time soon.

C.A.A. D.N.S. Records and T.L.S. Session-Resumption

SUUGAKU.CO.UK currently uses the nameservers, which do not have support for C.A.A. records from the public A.P.I. However, SUUGAKU.CO.UK will be switching to custom nameservers, likely powered by djbdns, very soon. Routing records will be served over U.D.P., port fifty-three, by ns{1,2} will continue to be the domain registrar.

Session-resumption/caching is coming soon for all SUUGAKU.CO.UK services.