Re: Problem with httpd and openssl on NetBSD-7.1

[Christopher Pinon <cjpinon%secondfloor.xyz@localhost>]

Aaron B. <aaron%zadzmo.org@localhost> wrote:

> That cipher list is the only one I've found that allows for HTTP/2,
> compatibility with older clients, and hitting an A+ on ssllabs.com all
> at once. Everything I've done tinkering on my own could only hit two of
> those three goals. 
> 
> Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But
> that cipher list is still works great and that's why I recommend it to
> everyone.

Indeed, it's a good list.

> I've always assumed that having a good enough OpenSSL version and
> simply enabling the proper cipher would turn on Perfect Forward
> Secrecy; however I wouldn't be surprised to be proven wrong. Code may
> still need to be modified.

I had the same working assumption, but then the choice of that cipher
list should enable PFS (because the higher ciphers listed support PFS),
and yet this doesn't happen, which I can only assume is due to the web
server software (= httpd). In fact, this is also what the warning
message from ssllabs.com indicates, namely, that the server doesn't
support PFS.

> Forward Secrecy only guards against your private key being discovered.
> Your data will still be secure without it, assuming you follow safe
> practices with the key.
> 
> Getting PFS enabled is a worthwhile thing to do. However I believe
> if bozohttpd is good enough for what you are doing, you will be safe
> enough with a mere A-minus rating. If you really need an A or A-plus,
> there's always nginx.

Yes. :-) At the beginning, Firefox was the real issue, not the A-, and
now that the Firefox issue is resolved, the A- is fine for practical
purposes.

By the way, another (easier) question about httpd: is there a way for
httpd to listen to both plain http (port 80) requests and https (port
443) requests? (Like apache.) At the moment, as far as I can tell, it's
either or, depending on whether or not '-Z ...' is set.

Thanks again.

C.