On 2014-04-16 06:50, [email protected] wrote:
So I was wondering: is it possible to configure archiveopteryx in a way that enables forward secrecy?
The best answer I have is to terminate your SSL with Stunnel, not the built-in SSL. Stunnel will let you configure PFS.
This is also what Colin Percival noted he did for his Tarsnap website, and as a result any Heartbleed attack only gets the SSL key, not any in-memory sensitive data such as user accounts, passwords, etc as the SSL termination is done in a different process / memory space altogether. Combined with PFS, the compromise of your SSL key is not such a big deal after all; just a nuisance.
