On Tue, 02 May 2017 00:32:50 +0200 Christopher Pinon <cjpi...@secondfloor.xyz> wrote:
> Jeff, thanks for the reminder of that man page. I've just tried '-z > ALL', which similarly makes Firefox happy, but unfortunately, the score > that I then get at ssllabs.com drops to B. :-( In this respect, the > explicit listing that Aaron referred me to is more successful, because > the score in this case is A-. > That cipher list is the only one I've found that allows for HTTP/2, compatibility with older clients, and hitting an A+ on ssllabs.com all at once. Everything I've done tinkering on my own could only hit two of those three goals. Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But that cipher list is still works great and that's why I recommend it to everyone. > I've now begun to suspect that httpd doesn't (yet?) support a cipher > suite with Forward Secrecy (this is the obstacle to a score of A), but > it would be great if someone could confirm this suspicion. > I've always assumed that having a good enough OpenSSL version and simply enabling the proper cipher would turn on Perfect Forward Secrecy; however I wouldn't be surprised to be proven wrong. Code may still need to be modified. Forward Secrecy only guards against your private key being discovered. Your data will still be secure without it, assuming you follow safe practices with the key. Getting PFS enabled is a worthwhile thing to do. However I believe if bozohttpd is good enough for what you are doing, you will be safe enough with a mere A-minus rating. If you really need an A or A-plus, there's always nginx. -- Aaron B. <aa...@zadzmo.org>
