Just a short reply: - yes, forward secrecy is now supported, although i found it hard to find a cipher set that works with all browsers perfectly. - yes, the .pem file should include the diffie hellman parameters, when you use *DHE* ciphers. The readme on https://bitbucket.org/naviserver/nsssl shows an example how to build such a .pem file. - in order to use all functionality on nsssl (e.g. fo ns_ssl), one should currently use the head version of NaviServer (4.99.6) until it is released
-gustaf Am 28.03.14 18:05, schrieb Cesáreo García Rodicio: > Dear Gustaf > > I'm using Qualys' SSL Labs to check my navisver security ratings . My > server uses a StartSSL™ Free (Class 1) https://www.startssl.com/?app=39 > and a nssl config file (see below[1]) > > I get a A- Rating and to get an A Rating I had to solve this forward > secrecy issue. So > - I assume nsssl module supports forward secrecy [2] > - My ciphers suite (ns_param ciphers "...") is right [3] > - I had to change server.pem (all-in-one private and public keys). > Does this mean to text-edit server.pem? I couldn't see how to do it in > the links > > Thanks > Cesáreo > > > > [1] My nsssl file conf > > ns_section "ns/server/${server}/module/nsssl" > ns_param certificate $serverroot/etc/certificado.pem > ns_param ciphers > "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 > :DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384 > :ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA > 256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" > ns_param protocols "SSLv3, TLSv1" > ns_param verify 0 > > [1] Is 4.99.6 a typo in https://bitbucket.org/naviserver/nsssl/src ? I > assume nsssl 0.4 works with naviserver 4.99.5 > [2] As seen on https://wiki.mozilla.org/Security/Server_Side_TLS > > > > El 27/enero/14 17:42, Gustaf Neumann escribió: > > >> Dear friends, >> >> Google has implemented in 2011 "forward secrecy" via ephemeral keys and >> Diffie-Hellman key exchange in OpenSSL [1].Since this feature of OpenSSL >> this is easy to use, i added support for forward secrecy to nsssl. One >> can new use these improved security features by adding DH parameters [2] >> to the server.pem file (see example in README [3]) and by using the >> "right" ciphers (*E*DH*, see e.g. [4]). >> >> By using these features, a web site can improve its security ratings as >> measured e.g. by Qualys' SSL Labs. >> >> all the best >> -gustaf neumann >> >> [1] >> http://googleonlinesecurity.blogspot.co.at/2011/11/protecting-data-for-long-term-with.html >> [2] https://bitbucket.org/naviserver/nsssl/src >> [3] http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters >> [4] https://wiki.mozilla.org/Security/Server_Side_TLS >> >> >> >> ------------------------------------------------------------------------------ >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >> _______________________________________________ >> naviserver-devel mailing list >> naviserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >> >> > ------------------------------------------------------------------------------ > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel -- Univ.Prof. Dr. Gustaf Neumann WU Vienna Institute of Information Systems and New Media Welthandelsplatz 1, A-1020 Vienna, Austria ------------------------------------------------------------------------------ _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
