Aaron B. <aa...@zadzmo.org> wrote: > That cipher list is the only one I've found that allows for HTTP/2, > compatibility with older clients, and hitting an A+ on ssllabs.com all > at once. Everything I've done tinkering on my own could only hit two of > those three goals. > > Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But > that cipher list is still works great and that's why I recommend it to > everyone.
Indeed, it's a good list. > I've always assumed that having a good enough OpenSSL version and > simply enabling the proper cipher would turn on Perfect Forward > Secrecy; however I wouldn't be surprised to be proven wrong. Code may > still need to be modified. I had the same working assumption, but then the choice of that cipher list should enable PFS (because the higher ciphers listed support PFS), and yet this doesn't happen, which I can only assume is due to the web server software (= httpd). In fact, this is also what the warning message from ssllabs.com indicates, namely, that the server doesn't support PFS. > Forward Secrecy only guards against your private key being discovered. > Your data will still be secure without it, assuming you follow safe > practices with the key. > > Getting PFS enabled is a worthwhile thing to do. However I believe > if bozohttpd is good enough for what you are doing, you will be safe > enough with a mere A-minus rating. If you really need an A or A-plus, > there's always nginx. Yes. :-) At the beginning, Firefox was the real issue, not the A-, and now that the Firefox issue is resolved, the A- is fine for practical purposes. By the way, another (easier) question about httpd: is there a way for httpd to listen to both plain http (port 80) requests and https (port 443) requests? (Like apache.) At the moment, as far as I can tell, it's either or, depending on whether or not '-Z ...' is set. Thanks again. C.
