Dear Cesáreo,
Concerning the chain issue: the .pem file can/should contain multiple
certificates (the chain).
Instructions how to obtain the chain are usually available from your
certificate provider
http://superuser.com/questions/644343/how-do-you-fix-an-incomplete-ssl-chain
http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
From the qualys report for your site, it seems as if you have not
configured
HTTP Strict Transport Security correctly (see next-scripting.org for an
example) yet.
Note that you have to update and install naviserver to the tip version
for this feature.
When you connect to connect to your site via https, check via e.g.
firebug, whether
it sends the line "Strict-Transport-Security: max-age=31536000;
includeSubDomains"
in the response.
all the best
-gustaf neumann
Am 22.04.14 16:23, schrieb Cesáreo García Rodicio:
Gustaf,
Amazing Work! I build nsssl 0.6 and I add extraheaders and it seems to
work fine.
But I had some "chain issues" yet (I only get an A rating, not A+).
Do I have to add, I mean "echo whatever >> certificate.pem", to
certificate.pem?
El 12/abril/14 14:54, Gustaf Neumann escribió:
One more update: There is now an additional feature in NaviServer to
allow a site admin to
add extra reply header fields with little effort. The nssock and nsssl
driver accept new a parameter
extraheaders which contains an attribute/value list of extra reply
header fields. By using e.g.
ns_section ns/server/${servername}/module/nsssl
...
ns_param extraheaders { Strict-Transport-Security "max-age=31536000;
includeSubDomains"}
...
one can activate HTTP Strict Transport Security (HSTS) for https
connections. With this activated,
one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs.
all the best
-gustaf neumann
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
http://dev.chromium.org/sts
https://tools.ietf.org/html/rfc6797
Am 10.04.14 11:53, schrieb Gustaf Neumann:
Dear Friends,
the bitbucket repository contains a new version of the nsssl module of
NaviServer that
makes it easier to obtain from Qualys SSL Labs an "A" rating with
actual versions
of openssl by supporting more ciphers.
All the best
-gustaf neumann
New in Version 0.5:
- Support for Elliptic Curve Cryptography
(such as Elliptic Curve Diffie-Hellman (ECDH))
- Provide compiled-in defaults for DH parameters
- Handling several SSL and TLS bugs.
- Deactivated SSLv2
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
