Menu
▾
▴
Re: [naviserver-devel] forward secrecy for nsssl
|
From: Cesáreo G. R. <ce...@ce...> - 2014-03-29 14:02:44
|
Hi Gustaf OK, thanks so much. This PFS issue it's not urgent in my setup. I had missed "openssl dhparam 2048 >> server.pem" to add DHE ciphers Next week I'll try the head version of NS and check again Thanks so much Cesáreo El 28/marzo/14 17:25, Gustaf Neumann escribió: > Just a short reply: > - yes, forward secrecy is now supported, although i found it hard to > find a cipher > set that works with all browsers perfectly. > - yes, the .pem file should include the diffie hellman parameters, when > you use *DHE* ciphers. > The readme on https://bitbucket.org/naviserver/nsssl shows an > example how to build such > a .pem file. > - in order to use all functionality on nsssl (e.g. fo ns_ssl), one > should currently use the > head version of NaviServer (4.99.6) until it is released > > -gustaf > > Am 28.03.14 18:05, schrieb Cesáreo García Rodicio: >> Dear Gustaf >> >> I'm using Qualys' SSL Labs to check my navisver security ratings . My >> server uses a StartSSL™ Free (Class 1) https://www.startssl.com/?app=39 >> and a nssl config file (see below[1]) >> >> I get a A- Rating and to get an A Rating I had to solve this forward >> secrecy issue. So >> - I assume nsssl module supports forward secrecy [2] >> - My ciphers suite (ns_param ciphers "...") is right [3] >> - I had to change server.pem (all-in-one private and public keys). >> Does this mean to text-edit server.pem? I couldn't see how to do it in >> the links >> >> Thanks >> Cesáreo >> >> >> >> [1] My nsssl file conf >> >> ns_section "ns/server/${server}/module/nsssl" >> ns_param certificate $serverroot/etc/certificado.pem >> ns_param ciphers >> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 >> :DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384 >> :ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA >> 256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" >> ns_param protocols "SSLv3, TLSv1" >> ns_param verify 0 >> >> [1] Is 4.99.6 a typo in https://bitbucket.org/naviserver/nsssl/src ? I >> assume nsssl 0.4 works with naviserver 4.99.5 >> [2] As seen on https://wiki.mozilla.org/Security/Server_Side_TLS >> >> >> >> El 27/enero/14 17:42, Gustaf Neumann escribió: >> >> >>> Dear friends, >>> >>> Google has implemented in 2011 "forward secrecy" via ephemeral keys and >>> Diffie-Hellman key exchange in OpenSSL [1].Since this feature of OpenSSL >>> this is easy to use, i added support for forward secrecy to nsssl. One >>> can new use these improved security features by adding DH parameters [2] >>> to the server.pem file (see example in README [3]) and by using the >>> "right" ciphers (*E*DH*, see e.g. [4]). >>> >>> By using these features, a web site can improve its security ratings as >>> measured e.g. by Qualys' SSL Labs. >>> >>> all the best >>> -gustaf neumann >>> >>> [1] >>> http://googleonlinesecurity.blogspot.co.at/2011/11/protecting-data-for-long-term-with.html >>> [2] https://bitbucket.org/naviserver/nsssl/src >>> [3] http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters >>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>> Critical Workloads, Development Environments & Everything In Between. >>> Get a Quote or Start a Free Trial Today. >>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> naviserver-devel mailing list >>> nav...@li... >>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >>> >>> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> naviserver-devel mailing list >> nav...@li... >> https://lists.sourceforge.net/lists/listinfo/naviserver-devel > > |
