On Mon, May 18, 2015 at 07:43:26PM +0200, Martijn Rijkeboer wrote:
> Hi,
>
> I've just switched my webserver from 5.6/nginx to 5.7/httpd and was
> testing my TLS setup using SSL Labs[1]. The SSL Labs test indicates that
> my setup doesn't support forward secrecy. Is this not implemented in
> the 5.7 version of httpd or is my configuration wrong (included below)?
>
> OS: OpenBSD 5.7-stable AMD64
>
> Kind regards,
>
>
> Martijn Rijkeboer
>
We disabled older cipher suites and protocols by default. Any new-ish
browser should prefer ECDHE over DHE.
>From httpd.conf:
---snip---
dhe params
Specify the DHE parameters to use for DHE cipher suites.
Valid parameter values are none, legacy and auto. For
legacy a fixed key length of 1024 bits is used, whereas
for auto the key length is determined automatically. The
default is none, which disables DHE cipher suites.
ecdhe curve
Specify the ECDHE curve to use for ECDHE cipher suites.
Valid parameter values are none, auto and the short name
of any known curve. The default is auto.
---snap---
So if your really want to enable legacy DHE modes, set the following
in the server section:
tls dhe "legacy"
Reyk
>
> --- /etc/httpd.conf ---
>
> ext_addr="*"
>
> server "www.bunix.org" {
> listen on $ext_addr tls port 443
> tls certificate "/etc/ssl/www.bunix.org.crt.pem"
> tls key "/etc/ssl/private/www.bunix.org.key.pem"
>
> connection {
> max requests 500
> timeout 3600
> }
>
> root "/htdocs/www.bunix.org"
> }
>
> types {
> include "/usr/share/misc/mime.types"
> }
>
>
> ---------
>
> [1] https://www.ssllabs.com/ssltest/
>
--
