Menu
▾
▴
Re: [naviserver-devel] nsssl 0.5 available
|
From: Gustaf N. <ne...@wu...> - 2014-04-24 07:29:08
|
Dear Cesáreo, Concerning the chain issue: the .pem file can/should contain multiple certificates (the chain). Instructions how to obtain the chain are usually available from your certificate provider http://superuser.com/questions/644343/how-do-you-fix-an-incomplete-ssl-chain http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor From the qualys report for your site, it seems as if you have not configured HTTP Strict Transport Security correctly (see next-scripting.org for an example) yet. Note that you have to update and install naviserver to the tip version for this feature. When you connect to connect to your site via https, check via e.g. firebug, whether it sends the line "Strict-Transport-Security: max-age=31536000; includeSubDomains" in the response. all the best -gustaf neumann Am 22.04.14 16:23, schrieb Cesáreo García Rodicio: > Gustaf, > > Amazing Work! I build nsssl 0.6 and I add extraheaders and it seems to > work fine. > > But I had some "chain issues" yet (I only get an A rating, not A+). > > Do I have to add, I mean "echo whatever >> certificate.pem", to > certificate.pem? > > El 12/abril/14 14:54, Gustaf Neumann escribió: >> One more update: There is now an additional feature in NaviServer to >> allow a site admin to >> add extra reply header fields with little effort. The nssock and nsssl >> driver accept new a parameter >> extraheaders which contains an attribute/value list of extra reply >> header fields. By using e.g. >> >> ns_section ns/server/${servername}/module/nsssl >> ... >> ns_param extraheaders { Strict-Transport-Security "max-age=31536000; includeSubDomains"} >> ... >> >> one can activate HTTP Strict Transport Security (HSTS) for https >> connections. With this activated, >> one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs. >> >> all the best >> -gustaf neumann >> >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >> http://dev.chromium.org/sts >> https://tools.ietf.org/html/rfc6797 >> >> Am 10.04.14 11:53, schrieb Gustaf Neumann: >>> Dear Friends, >>> >>> the bitbucket repository contains a new version of the nsssl module of >>> NaviServer that >>> makes it easier to obtain from Qualys SSL Labs an "A" rating with >>> actual versions >>> of openssl by supporting more ciphers. >>> >>> All the best >>> -gustaf neumann >>> >>> New in Version 0.5: >>> - Support for Elliptic Curve Cryptography >>> (such as Elliptic Curve Diffie-Hellman (ECDH)) >>> - Provide compiled-in defaults for DH parameters >>> - Handling several SSL and TLS bugs. >>> - Deactivated SSLv2 >>> |
