Handmade Network»Forums
Casey Muratori
801 posts / 1 project
Casey Muratori is a programmer at Molly Rocket on the game 1935 and is the host of the educational programming series Handmade Hero.
Apache setup questions for web peoples
So, I have enabled https on all our sites at Molly Rocket. I hate the web and I hate Apache and I hate everything, so it all sucks but I do want to ask the basic due diligence question for those of you who know web things: what should I do for Apache configuration regarding HTTPS security?

I have found that if I do the recommended protocol removals (nothing below SSL 3, etc.), then the site is not accessible from most Android devices. Basically only the very newest Android devices can connect. This doesn't seem desirable for a site such as, you know, handmadehero.org which is not meant to handle super-sensitive information anyway?

So I am wondering if there is a recommended set of things to do for a website which wants to be reasonably good for secure use, but doesn't want to become inaccessible to a lot of people.

Etc., etc.

- Casey

Mike
2 posts
Apache setup questions for web peoples
I'm sorry I don't have a specific answer for you but between
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl config generator by mozilla
and
https://www.ssllabs.com, which inspects your SSL config on your site and shows you what devices work vs not, I've generally been able to figure out a good balance and make sure the devices I want to work continues to work.
Mike
2 posts
Apache setup questions for web peoples
Edited by Mike on
(deleted)
Mārtiņš Možeiko
2378 posts / 2 projects
Apache setup questions for web peoples
Unfortunately there isn't any secure TLS configuration that would allow older Android's to connect.
How old Androids are we talking here? I would think that anything under Android 4.x is not worth bothering with.
TLS is really that broken.
James Hull
4 posts
Apache setup questions for web peoples
Edited by James Hull on
Yep. As Mārtiņš has pointed out - the only currently secure versions are TLS 1.1 and above, so if you want to be secure you need to disable anything lower then that.

Unfortunately TLS 1.1 and 1.2 are not enabled by default on a lot older browsers and devices (< IE10, < Android 5.0).
Casey Muratori
801 posts / 1 project
Casey Muratori is a programmer at Molly Rocket on the game 1935 and is the host of the educational programming series Handmade Hero.
Apache setup questions for web peoples
Edited by Casey Muratori on
It looks like Android 4.x is OK as a minimum platform, perhaps:

http://www.statista.com/statistic...n-mobile-devices-with-android-os/

But testing via BrowserStack, when I hardened Apache's protocol set with the usual rec's, none of the 4.x devices could see the site anymore :( So I'm wondering what they actually support?

(And similarly, if you look at that Mozilla configurator page thingee, it seems to jump right from Android 2.x to Android 5.x - there's no "supports 4 but not 2 and 3" button that I can see?)

- Casey
James Hull
4 posts
Apache setup questions for web peoples
According to the Android documentation TLS 1.1 is supported on API level 16+ (4.1–4.3.1) but not enabled by default until API level 20 (4.4+)

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html