Re: Problem with httpd and openssl on NetBSD-7.1

["Aaron B." <aaron%zadzmo.org@localhost>]

On Tue, 02 May 2017 00:32:50 +0200
Christopher Pinon <cjpinon%secondfloor.xyz@localhost> wrote:

> Jeff, thanks for the reminder of that man page. I've just tried '-z
> ALL', which similarly makes Firefox happy, but unfortunately, the score
> that I then get at ssllabs.com drops to B. :-( In this respect, the
> explicit listing that Aaron referred me to is more successful, because
> the score in this case is A-.
> 

That cipher list is the only one I've found that allows for HTTP/2,
compatibility with older clients, and hitting an A+ on ssllabs.com all
at once. Everything I've done tinkering on my own could only hit two of
those three goals. 

Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But
that cipher list is still works great and that's why I recommend it to
everyone.


> I've now begun to suspect that httpd doesn't (yet?) support a cipher
> suite with Forward Secrecy (this is the obstacle to a score of A), but
> it would be great if someone could confirm this suspicion.
>

I've always assumed that having a good enough OpenSSL version and
simply enabling the proper cipher would turn on Perfect Forward
Secrecy; however I wouldn't be surprised to be proven wrong. Code may
still need to be modified.

Forward Secrecy only guards against your private key being discovered.
Your data will still be secure without it, assuming you follow safe
practices with the key.

Getting PFS enabled is a worthwhile thing to do. However I believe
if bozohttpd is good enough for what you are doing, you will be safe
enough with a mere A-minus rating. If you really need an A or A-plus,
there's always nginx.

-- 
Aaron B. <aaron%zadzmo.org@localhost>