Am 04.04.14 19:32, schrieb Cesáreo García Rodicio: > Dear Gustaf, > > I had tried that (HEAD instead of 4.99.5) BUT not with most recent > version from the repository ;-) > > But it didn't work (it keeps warning me about PFS). Note that the nsssl driver does not implement PFS secrecy, but configures OpenSSL to use it. The achieved levels depend on the version of OpenSSL and the configuration parameters (mostly the configured ciphers)
See, what we are using (without spending much time to get the perfect values) on next-scripting.org: https://www.ssllabs.com/ssltest/analyze.html?d=next-scripting.org ssllabs gives for this an A- ranking with protocol support 95%, but complains "The server does not support Forward Secrecy with the reference browsers". If one scrolls down to the "Handshake Simulation" section, one can see that forward secrecy works with the used parameters on most browsers except IE6+IE8 on Windows XP, YandexBot3.0 and Java; the latter fails, since we use DH paramters > 1024 bits. We are using the following parameters: ns_param ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" ns_param protocols "!SSLv2:!SSLv3" If someone comes of with a "better" cipher set, let us know. > Silly Note about install-ns.sh > I have postgres already installed so I remove "postgres and > postgres-devel" in install-ns.sh. Perhaps it might be good idea to conf > that via something like with_postgres=0 . good idea. i've just now updated the install script in the wiki. ------------------------------------------------------------------------------ _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
