You are right, adding the DHE parameters should be mentioned more prominently. i've added a few lines to the README file.
-gn Am 29.03.14 15:02, schrieb Cesáreo García Rodicio: > Hi Gustaf > > OK, thanks so much. This PFS issue it's not urgent in my setup. I had > missed "openssl dhparam 2048 >> server.pem" to add DHE ciphers > > Next week I'll try the head version of NS and check again > > Thanks so much > Cesáreo > > El 28/marzo/14 17:25, Gustaf Neumann escribió: >> Just a short reply: >> - yes, forward secrecy is now supported, although i found it hard to >> find a cipher >> set that works with all browsers perfectly. >> - yes, the .pem file should include the diffie hellman parameters, when >> you use *DHE* ciphers. >> The readme on https://bitbucket.org/naviserver/nsssl shows an >> example how to build such >> a .pem file. >> - in order to use all functionality on nsssl (e.g. fo ns_ssl), one >> should currently use the >> head version of NaviServer (4.99.6) until it is released >> >> -gustaf >> >> Am 28.03.14 18:05, schrieb Cesáreo García Rodicio: >>> Dear Gustaf >>> >>> I'm using Qualys' SSL Labs to check my navisver security ratings . My >>> server uses a StartSSL™ Free (Class 1) https://www.startssl.com/?app=39 >>> and a nssl config file (see below[1]) >>> >>> I get a A- Rating and to get an A Rating I had to solve this forward >>> secrecy issue. So >>> - I assume nsssl module supports forward secrecy [2] >>> - My ciphers suite (ns_param ciphers "...") is right [3] >>> - I had to change server.pem (all-in-one private and public keys). >>> Does this mean to text-edit server.pem? I couldn't see how to do it in >>> the links >>> >>> Thanks >>> Cesáreo >>> >>> >>> >>> [1] My nsssl file conf >>> >>> ns_section "ns/server/${server}/module/nsssl" >>> ns_param certificate $serverroot/etc/certificado.pem >>> ns_param ciphers >>> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 >>> :DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384 >>> :ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA >>> 256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" >>> ns_param protocols "SSLv3, TLSv1" >>> ns_param verify 0 >>> >>> [1] Is 4.99.6 a typo in https://bitbucket.org/naviserver/nsssl/src ? I >>> assume nsssl 0.4 works with naviserver 4.99.5 >>> [2] As seen on https://wiki.mozilla.org/Security/Server_Side_TLS >>> >>> >>> >>> El 27/enero/14 17:42, Gustaf Neumann escribió: >>> >>> >>>> Dear friends, >>>> >>>> Google has implemented in 2011 "forward secrecy" via ephemeral keys and >>>> Diffie-Hellman key exchange in OpenSSL [1].Since this feature of OpenSSL >>>> this is easy to use, i added support for forward secrecy to nsssl. One >>>> can new use these improved security features by adding DH parameters [2] >>>> to the server.pem file (see example in README [3]) and by using the >>>> "right" ciphers (*E*DH*, see e.g. [4]). >>>> >>>> By using these features, a web site can improve its security ratings as >>>> measured e.g. by Qualys' SSL Labs. >>>> >>>> all the best >>>> -gustaf neumann >>>> >>>> [1] >>>> http://googleonlinesecurity.blogspot.co.at/2011/11/protecting-data-for-long-term-with.html >>>> [2] https://bitbucket.org/naviserver/nsssl/src >>>> [3] http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters >>>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS >>>> ------------------------------------------------------------------------------ _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
