[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Problem with httpd and openssl on NetBSD-7.1
Aaron B. <aaron%zadzmo.org@localhost> wrote:
> That cipher list is the only one I've found that allows for HTTP/2,
> compatibility with older clients, and hitting an A+ on ssllabs.com all
> at once. Everything I've done tinkering on my own could only hit two of
> those three goals.
> Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But
> that cipher list is still works great and that's why I recommend it to
Indeed, it's a good list.
> I've always assumed that having a good enough OpenSSL version and
> simply enabling the proper cipher would turn on Perfect Forward
> Secrecy; however I wouldn't be surprised to be proven wrong. Code may
> still need to be modified.
I had the same working assumption, but then the choice of that cipher
list should enable PFS (because the higher ciphers listed support PFS),
and yet this doesn't happen, which I can only assume is due to the web
server software (= httpd). In fact, this is also what the warning
message from ssllabs.com indicates, namely, that the server doesn't
> Forward Secrecy only guards against your private key being discovered.
> Your data will still be secure without it, assuming you follow safe
> practices with the key.
> Getting PFS enabled is a worthwhile thing to do. However I believe
> if bozohttpd is good enough for what you are doing, you will be safe
> enough with a mere A-minus rating. If you really need an A or A-plus,
> there's always nginx.
Yes. :-) At the beginning, Firefox was the real issue, not the A-, and
now that the Firefox issue is resolved, the A- is fine for practical
By the way, another (easier) question about httpd: is there a way for
httpd to listen to both plain http (port 80) requests and https (port
443) requests? (Like apache.) At the moment, as far as I can tell, it's
either or, depending on whether or not '-Z ...' is set.
Main Index |
Thread Index |