Rutger ter Borg
2016-06-01 07:34:54 UTC
Deal all,
I'm using a wthttpd instance to serve a Wt app. I used
https://www.ssllabs.com/ to test the quality of its security settings.
So far, the highest achievable of wthttpd is an A-, because wthttpd is
not forcing forward secrecy upon clients that do support them, but do
not prefer them. The DH param option already helps, but is not sufficient.
My guess is that wthttpd will get proper support for forward secrecy if
server-side ciphers are preferred (and use the ones that use Ephemeral
Diffie-Hellman, DHE). The following would fix this:
Modify http/Configuration:
* add a sslPreferServerCiphers() (a boolean) option
Modify http/Server, around // HTTPS and int sslOptions:
if ( config.sslPreferServerCiphers() ) {
SSL_CTX_set_option( native_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE );
}
Thanks,
Rutger
I'm using a wthttpd instance to serve a Wt app. I used
https://www.ssllabs.com/ to test the quality of its security settings.
So far, the highest achievable of wthttpd is an A-, because wthttpd is
not forcing forward secrecy upon clients that do support them, but do
not prefer them. The DH param option already helps, but is not sufficient.
My guess is that wthttpd will get proper support for forward secrecy if
server-side ciphers are preferred (and use the ones that use Ephemeral
Diffie-Hellman, DHE). The following would fix this:
Modify http/Configuration:
* add a sslPreferServerCiphers() (a boolean) option
Modify http/Server, around // HTTPS and int sslOptions:
if ( config.sslPreferServerCiphers() ) {
SSL_CTX_set_option( native_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE );
}
Thanks,
Rutger