Dear Gustaf,
I get the same A- grade:
https://www.ssllabs.com/ssltest/analyze.html?d=cesareox.com (because of PFS)
My ciphers and protocols:
ns_param ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
ns_param protocols "SSLv3, TLSv1"
As seen on:
https://wiki.mozilla.org/Security/Server_Side_TLS
> openssl version
OpenSSL 0.9.8y 5 Feb 2013
I've upgraded install-ns.sh (with_postgres=0) and work nice ;-)
Thanks!
Cesáreo
--- side effect of using head version ---
I was using 4.99.5 some days in my production server and I had some
"Fatal: received fatal signal 11" Errors. But now It seems to work nicely.
El 04/abril/14 15:19, Gustaf Neumann escribió:
> Am 04.04.14 19:32, schrieb Cesáreo García Rodicio:
>> Dear Gustaf,
>>
>> I had tried that (HEAD instead of 4.99.5) BUT not with most recent
>> version from the repository ;-)
>>
>> But it didn't work (it keeps warning me about PFS).
> Note that the nsssl driver does not implement PFS secrecy, but
> configures OpenSSL to use it.
> The achieved levels depend on the version of OpenSSL and the
> configuration parameters
> (mostly the configured ciphers)
>
> See, what we are using (without spending much time to get the perfect
> values)
> on next-scripting.org:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=next-scripting.org
>
> ssllabs gives for this an A- ranking with protocol support 95%, but
> complains
> "The server does not support Forward Secrecy with the reference browsers".
>
> If one scrolls down to the "Handshake Simulation" section, one can see that
> forward secrecy works with the used parameters on most browsers
> except IE6+IE8 on Windows XP, YandexBot3.0 and Java; the latter fails,
> since we
> use DH paramters > 1024 bits.
>
> We are using the following parameters:
>
> ns_param ciphers
> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
> ns_param protocols "!SSLv2:!SSLv3"
>
> If someone comes of with a "better" cipher set, let us know.
>> Silly Note about install-ns.sh
>> I have postgres already installed so I remove "postgres and
>> postgres-devel" in install-ns.sh. Perhaps it might be good idea to conf
>> that via something like with_postgres=0 .
> good idea. i've just now updated the install script in the wiki.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> naviserver-devel mailing list
> naviserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
------------------------------------------------------------------------------
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
