Dear Gustaf
I'm using Qualys' SSL Labs to check my navisver security ratings . My
server uses a StartSSL™ Free (Class 1) https://www.startssl.com/?app=39
and a nssl config file (see below[1])
I get a A- Rating and to get an A Rating I had to solve this forward
secrecy issue. So
- I assume nsssl module supports forward secrecy [2]
- My ciphers suite (ns_param ciphers "...") is right [3]
- I had to change server.pem (all-in-one private and public keys).
Does this mean to text-edit server.pem? I couldn't see how to do it in
the links
Thanks
Cesáreo
[1] My nsssl file conf
ns_section "ns/server/${server}/module/nsssl"
ns_param certificate $serverroot/etc/certificado.pem
ns_param ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384
:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA
256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
ns_param protocols "SSLv3, TLSv1"
ns_param verify 0
[1] Is 4.99.6 a typo in https://bitbucket.org/naviserver/nsssl/src ? I
assume nsssl 0.4 works with naviserver 4.99.5
[2] As seen on https://wiki.mozilla.org/Security/Server_Side_TLS
El 27/enero/14 17:42, Gustaf Neumann escribió:
> Dear friends,
>
> Google has implemented in 2011 "forward secrecy" via ephemeral keys and
> Diffie-Hellman key exchange in OpenSSL [1].Since this feature of OpenSSL
> this is easy to use, i added support for forward secrecy to nsssl. One
> can new use these improved security features by adding DH parameters [2]
> to the server.pem file (see example in README [3]) and by using the
> "right" ciphers (*E*DH*, see e.g. [4]).
>
> By using these features, a web site can improve its security ratings as
> measured e.g. by Qualys' SSL Labs.
>
> all the best
> -gustaf neumann
>
> [1]
> http://googleonlinesecurity.blogspot.co.at/2011/11/protecting-data-for-long-term-with.html
> [2] https://bitbucket.org/naviserver/nsssl/src
> [3] http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters
> [4] https://wiki.mozilla.org/Security/Server_Side_TLS
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> naviserver-devel mailing list
> naviserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
>
------------------------------------------------------------------------------
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
