sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] HKPS SSL Ciphers

From: Benny Baumann
Subject: Re: [Sks-devel] HKPS SSL Ciphers
Date: Tue, 11 Feb 2014 19:05:36 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 
Hi guys,

Am 11.02.2014 14:16, schrieb Stephan Seitz:
> Hi guys,
>
> since I've recently checked (and understood :) ) the difference of SSL
> ciphers, I've build up a cypherlist which is currently used on
> keyserver.secretresearchfacility.com (part of hkps pool)
>
> The following syntax is for Apache, but can easily be changed for
> lighttpd or nginx.
>
> SSLEngine on
> SSLProtocol All -SSLv2 -SSLv3
> SSLHonorCipherOrder On
> SSLCompression off
> SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA
> +SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:
> +AES128:+SSLv3:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!
> ECDSA:CAMELLIA256:SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
I'm using mod_gnutls on my server with special regards to strong
protection with PFS where available and enforced 256 bit cipher strength.

Configuration goes something along the lines of:
    GnuTLSEnable on
    GnuTLSCertificateFile domain.crt.chain
    GnuTLSKeyFile key.key
    GnuTLSPriorities
SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:!MD5:!ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:!CAMELLIA-128-CBC:-AES-256-CBC:!AES-128-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+AEAD:+SHA512:+SHA384:+SHA256:+AES-256-GCM:+SHA1:+VERS-TLS1.0:-DHE-RSA:-RSA:+DHE-RSA:+DHE-DSS:+RSA:+SRP:+CAMELLIA-256-CBC:+AES-256-CBC:-VERS-SSL3.0:%SERVER_PRECEDENCE
    GnuTLSDHFile dhparam.dh.pem
    Header add Strict-Transport-Security "max-age=15768000"

Please note that this enforces at least TLS 1.0 with 256-bit Ciphers
(AES or Camellia) and kicks out everything below 256 Bit, especially
RC4, DES, 3DES. The DHE KEX uses a 13kBit prime, but due to the small
certificate will be reduced to about 8192 bit).

Unfortunately I'm still fighting with a bug with mod_gnutls and
mod_proxy not quite liking each other.
But I hope to resolve that one soon.
>
>
>
> Apache 2.2 shipped with Centos6, Debian7 and Ubuntu 12.04 LTS are too
> old.
> If you want to take the most out of EC, use a very recent Apache 2.2 or
> move over to 2.4.
> Nginx and lighttpd doesn't have that limitation of EC cipher usage.
Running Apache 2.4.7 with mod_gnutls (trunk 0.5.10+) and GnuTLS 3.2.10
on Debian (Stable+Testing+Unstable+Experimental+OwnBuilds).
>
>
>
> Cheers,
>
> Stephan
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]