Dear Gustaf I'm installing naviserver with the amazing install-ns.sh script and it doesn't support 4.99.6 and I didn't try to get head version with another method). So I'll wait until 4.99.6 to test the perfect forward issue.
I've already done "openssl dhparam 2048 >> server.pem" (it takes a while) Thanks Cesáreo El 31/marzo/14 06:19, Gustaf Neumann escribió: > You are right, adding the DHE parameters should be mentioned more > prominently. > i've added a few lines to the README file. > > -gn > > Am 29.03.14 15:02, schrieb Cesáreo García Rodicio: >> Hi Gustaf >> >> OK, thanks so much. This PFS issue it's not urgent in my setup. I had >> missed "" to add DHE ciphers >> >> Next week I'll try the head version of NS and check again >> >> Thanks so much >> Cesáreo >> >> El 28/marzo/14 17:25, Gustaf Neumann escribió: >>> Just a short reply: >>> - yes, forward secrecy is now supported, although i found it hard to >>> find a cipher >>> set that works with all browsers perfectly. >>> - yes, the .pem file should include the diffie hellman parameters, when >>> you use *DHE* ciphers. >>> The readme on https://bitbucket.org/naviserver/nsssl shows an >>> example how to build such >>> a .pem file. >>> - in order to use all functionality on nsssl (e.g. fo ns_ssl), one >>> should currently use the >>> head version of NaviServer (4.99.6) until it is released >>> >>> -gustaf >>> >>> Am 28.03.14 18:05, schrieb Cesáreo García Rodicio: >>>> Dear Gustaf >>>> >>>> I'm using Qualys' SSL Labs to check my navisver security ratings . My >>>> server uses a StartSSL™ Free (Class 1) https://www.startssl.com/?app=39 >>>> and a nssl config file (see below[1]) >>>> >>>> I get a A- Rating and to get an A Rating I had to solve this forward >>>> secrecy issue. So >>>> - I assume nsssl module supports forward secrecy [2] >>>> - My ciphers suite (ns_param ciphers "...") is right [3] >>>> - I had to change server.pem (all-in-one private and public keys). >>>> Does this mean to text-edit server.pem? I couldn't see how to do it in >>>> the links >>>> >>>> Thanks >>>> Cesáreo >>>> >>>> >>>> >>>> [1] My nsssl file conf >>>> >>>> ns_section "ns/server/${server}/module/nsssl" >>>> ns_param certificate >>>> $serverroot/etc/certificado.pem >>>> ns_param ciphers >>>> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 >>>> :DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384 >>>> :ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA >>>> 256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" >>>> ns_param protocols "SSLv3, TLSv1" >>>> ns_param verify 0 >>>> >>>> [1] Is 4.99.6 a typo in https://bitbucket.org/naviserver/nsssl/src ? I >>>> assume nsssl 0.4 works with naviserver 4.99.5 >>>> [2] As seen on https://wiki.mozilla.org/Security/Server_Side_TLS >>>> >>>> >>>> >>>> El 27/enero/14 17:42, Gustaf Neumann escribió: >>>> >>>> >>>>> Dear friends, >>>>> >>>>> Google has implemented in 2011 "forward secrecy" via ephemeral keys and >>>>> Diffie-Hellman key exchange in OpenSSL [1].Since this feature of OpenSSL >>>>> this is easy to use, i added support for forward secrecy to nsssl. One >>>>> can new use these improved security features by adding DH parameters [2] >>>>> to the server.pem file (see example in README [3]) and by using the >>>>> "right" ciphers (*E*DH*, see e.g. [4]). >>>>> >>>>> By using these features, a web site can improve its security ratings as >>>>> measured e.g. by Qualys' SSL Labs. >>>>> >>>>> all the best >>>>> -gustaf neumann >>>>> >>>>> [1] >>>>> http://googleonlinesecurity.blogspot.co.at/2011/11/protecting-data-for-long-term-with.html >>>>> [2] https://bitbucket.org/naviserver/nsssl/src >>>>> [3] http://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman_parameters >>>>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS >>>>> > > > ------------------------------------------------------------------------------ > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel > ------------------------------------------------------------------------------ _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
