Menu
▾
▴
Re: [AOLSERVER] Updating Aolserver to use TLSv1.2
|
From: Gustaf N. <ne...@wu...> - 2015-06-23 16:56:34
|
> I’m not up-to-date on proper configurations. Just as a reference: with the ciphers and Protocol from NaviServer's nsssl [1] one can get an A+ rating from SSL Labs [2]. One should also get decent ratings with these configuration values from AOLserver. -g [1] https://bitbucket.org/naviserver/nsssl/ [2] https://www.ssllabs.com/ssltest/analyze.html?d=next-scripting.org Am 23.06.15 um 18:11 schrieb Scott Goodwin: > By the way, ignore my CipherSuite line in there — you obviously don’t > want SSLv2, +LOW, +MEDIUM and other components - you’ll likely just > want the TLS v1.2 ciphers, which are listed here: > > https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites > > Not sure what the CipherSuite string should look like to support that, > but if I have time this week I’ll see if I can figure it out. Be aware > that restricting to just TLS 1.2 may cause some older browsers to not > work with your site, but I haven’t done hands-on work in this area in > years, so > > /s. > > >> On Jun 23, 2015, at 12:00 PM, Scott Goodwin <sc...@sc... >> <mailto:sc...@sc...>> wrote: >> >> An AOLserver configuration file from an old server I used to run has >> this section defined: >> >> ns_param Protocol "SSLv2, SSLv3, TLSv1" >> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" >> >> From the OpenSSL documentation: >> >> Only enable TLSv1.2: >> >> SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); >> >> >> So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2: >> >> ns_param Protocol “-ALL,TLSv1.2" >> ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" >> >> >> /s. >> >> >>> On Jun 23, 2015, at 10:36 AM, Paula Giangeruso >>> <pgi...@wi... <mailto:pgi...@wi...>> wrote: >>> >>> Does anyone have TLS v1.2 working on AOLserver? If so how did you >>> go about doing this? >>> >>> Thank You, >>> Paula >>> >>> -- >>> */Paula Giangeruso/*- /*Vice President/Engineering*/ >>> pgi...@wi... >>> <mailto:pgi...@wi...> |www.wineaccess.com >>> <http://www.wineaccess.com/> >>> /*O:*/(610) 642-1255 | */*F:*/*(610) 642-1277 | /*C:*/(609) 731-8092 >>> >>> *wine*/access/ ® >>> direct from the source >>> ------------------------------------------------------------------------------ |