Project

General

Profile

Actions

kanban #5530

closed

SSL with Perfect Forward Encryption

Added by Valio about 11 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
15 July 2013
Due date:
% Done:

0%

Estimated time:

Description

Has the use of Perfect Forward Encryption [1] for the SSL connections been considered?
If yes, what argument stood in opposition to it?
If no, I would like to put forward the motion to consider this mechanism and - if adopted - consider options to promote it.

[1] http://blogs.computerworld.com/encryption/22366/can-nsa-see-through-encrypted-web-pages-maybe-so


Related issues 3 (0 open3 closed)

Blocked by Digitale Infrastruktur - kanban #5935: Schlüssel serverseitig Bevorzugenk_done26 October 2013

Actions
Blocked by Digitale Infrastruktur - kanban #5936: Support TLS 1.2k_done26 October 2013

Actions
Blocks Digitale Infrastruktur - kanban #5934: [meta] Verschlüsselung verbessernk_backlog26 October 2013

Actions
Actions #1

Updated by tengu about 11 years ago

Hello,

good point indeed. I spent some times on my own server regarding the Forward SSL stuff on Nginx. Here's what I have working now:

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

ssl_certificate     PATH/TO/CERT;
ssl_certificate_key PATH/TO/KEY;

ssl_protocols SSLv3 TLSv1.2 TLSv1.1 TLSv1;

ssl_prefer_server_ciphers on;
# enable forward-secrecy, mitigate BEAST
ssl_ciphers ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RC4-SHA:AES256-SHA256:AES128-SHA256:AES128-SHA:HIGH:!MD5:!aNULL:!EDH;

With this "simple" setup, I have some good grade on SSL configuration: https://www.ssllabs.com/ssltest/analyze.html?d=www.swisstengu.ch

Hope this helps the AG-DI to implement this (alongside with HSTS1 if not already done ;) )

Cheers,

C.

[1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - in nginx:

server {
  listen 443 ssl;
  …
  add_header Strict-Transport-Security "max-age=31536000";
}

Actions #2

Updated by oschad about 11 years ago

  • Tracker changed from Motion to kanban
  • Status changed from New to k_backlog
Actions #4

Updated by jowi almost 11 years ago

ECDHE Protokoll sollte unterstützt werden

Actions #5

Updated by jowi over 9 years ago

  • Assignee set to janfader
Actions #6

Updated by jowi over 9 years ago

dhparam muss gesetzt werden (Logjam). Evt ist dazu ein Update von nginx nötig. Bei dieser Gelegenheit könnte auch gleich SPDY aktiviert werden.
Ciphers ohne FS sollten deaktiviert werden (deprectaed in TLS 1.3 draft)

Actions #7

Updated by jowi almost 9 years ago

  • Status changed from k_backlog to Closed
Actions

Also available in: Atom PDF