Hello HN, author of Server Side TLS [1] and co-maintainer of the conf generator here. Thanks for pushing this tool to the front page :) We've been improving our guidelines and this generator for the past year and a half, and while it in a pretty good shape, we always welcome comments and pull requests.
One comment that we get very often regards the ordering of the recommended ciphersuite. We've made some choices that are documented in [2] such as, for example, preferring AES 128 to 256 or maintaining compatibility with CAMELLIA and DES-CBC3-SHA in the intermediate configuration. The best place to discuss these choices is probably the `talk` section of the wiki page [3].
Feature request: can openssl version and nginx version be dropdowns? For example, I know I'm on latest stable nginx, but I don't know what exact version number it is, and it's not obvious that the configuration will change if you update these values.
@IgorPartola, sure thing (author of the conf generator here)! Go and and request it here ( https://github.com/mozilla/server-side-tls/issues ) and if you've got a lead on a canonical list of versions to work from that would help.
You can find a list of nginx's versions simply from the download directory: http://nginx.org/download/ - I know that much.
By the way... DSS? Is anyone anywhere using DSS certificates on the internet anymore? (And would they still be 1024-bit?) Let alone anyone who might actually read configuration advice? I didn't see any hosts presenting one last time I ran a survey, but I wouldn't swear to that being complete (maybe they only present it to certain clients?).
It's a tricky thing to do because of all the possible versions of all the possible web servers. The dropdown would end up being rather long, and require maintaining a list in the code. And then there's distribution specific backports, etc...
So we tabled this problem for now and went with a free field, but please do open a github issue and we'll add look for ways to do it.
I'd suggest the dropdown re-populate based on the server selected and be based on the cutoffs you use for the different configurations it generates. So, if you select Apache, it'd give you something like 1.x, 2.1.0 - 2.2.x, 2.3.x, etc based on which versions share configurations.
Well, for the GP the 'feature' might be to allow a 'latest' version string already?
Keeping track of each released version is probably a huge pain in the .. back. But 'latest' (which isn't selected for openssl for me, for example: It shows 0.9.8.h atm) might already help to get the most fitting configuration for the current set of software?
I assume you don't care about individual releases _unless_ they change the configuration syntax/offer different cipher options?
FYI the Moz ciphers are slightly better than the iojs ciphers (which are in turn a lot better than node 0.12), by prioritising GCM (which doesn't have any known attacks).
Random other fact: since GCM is only available with 128 bit AES in most current browsers, Moz prefer 128 bit AES GCM over 256 bit AES with CBC.
SSL Labs don't make the same distinction and require 256 bit crypto to get a perfect 'Cipher strength' score. Moz is right (and you should use their config), but the difference in opinion is interesting.
We've had a long and detailed discussion on the dev-tech-crypto mailing list about the preferred ordering for Firefox and, subsequently, for the server side guidelines. It's worth a read if you're into these sort of things http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.or...
EDIT: Taken care of, thanks jvehent! Original: Interestingly, it looks like someone made three edits to the on March 16th (to make the same change to three different sections) and one of them was reverted but not the others. Can someone with a Mozilla Wiki account contact the maintainer for that page and ask them to verify that was intentional? I'd do it myself but I don't want to request an account (effectively) just to send a PM.
Is it safe to reuse the same Diffie-Hellman parameter across multiple domains with different certificates/keys?
Not that this generator does it but if you host more than one site, it's more convenient to specify ssl_dhparam (also stapling, ssl_ciphers, etc.) in http{}, and only add certificate/key in server{}.
Diffie-Hellman requires the group order to have at least one large prime factor: if it has only small prime factors, Silver–Pohlig–Hellman could recover keys, and that'll make you a sad panda. The easiest way to ensure this is to select a Sophie Germain prime q with 2q+1 also being prime (a "safe prime"), of about the right size. Any base g can then be used - almost always 2 - which then generates a subgroup of large prime order q, problem solved.
The problem is that testing for safe primality is way too slow (as you may have noticed while running openssl dhparam!) for TLS clients to test DHE parameters presented to them. So… they don't. The risk is (I'm not totally clear if the Finished master-secret might prevent this, but there certainly isn't as much transcript hashing as I'd like!) an attacker could perhaps trick TLS parties into accepting bad parameters: too small; small factors; hell, maybe even composite.
The solution is currently in draft, and is to have carefully-selected, standard Diffie-Hellman parameters that are known safe primes, starting from 2048-bit and going up (don't use <2048-bit, just… don't - please don't use 1024-bit!), using essentially the same negotiation as that used with the supported-curves extension. https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-f... It's the same approach used by many other protocols, including SSH and IKE.
I gather TLS 1.3 will remove the ability for server-defined Diffie-Hellman parameters completely for this reason.
However, ECDHE is strongly technically superior to DHE: ECDHE using secp256r1 is at around ≈128-bit workfactor, equivalent to broadly ≈3072-bit DHE, but is much faster and smaller and doesn't have these problems (it can have different problems, but not these problems!).
And coming up soon (via the CFRG sausage-machine) hopefully TLS will soon have djb's Curve25519 (the curve, and the key agreement function now known as X25519), which is roughly the same ≈128-bit strength but really fast - and much simpler to safely implement, even in constant-time. You probably want to use that or ECDHE, not DHE, which is a little hairier than it sounds. Indeed, quite a few people are using it already (notably OpenSSH).
This is a fantastic comment! Thank you for posting it.
I'd note that many of us don't have a choice and must still use 1024 bits DHE parameters because of java 6 clients. It's unfortunate, and we hope they go away very very soon so we can upgrade to 2048 bits.
From what I read, yes. Your libssl already comes with a built-in one that's reused almost everywhere. If you want to generate your own, you can make it public, but realistically, if you don't trust your libssl to provide a good dhparam, why trust it to do anything else?
AFAIK it's also impossible to get an A+ if you want to support older browsers and OSs (the intermediate and old settings from this site) due to BEAST. Seems like XP, Vista, and IE <= 9 were all affected by using the modern cypher suite from Mozilla (they all got a F).
I wasn't able to find a way to do server-side BEAST mitigation that didn't involve re-enabling RC4 ciphers (which is a far worse option). SSLLabs automatically downgrades any site that doesn't do BEAST mitigation to an A-.
I also was unable to get forward-secrecy working with all reference browsers using the intermediate setting.
Turns out I was remembering wrong. The A- downgrade was from not supporting forward-secrecy in all reference browsers which is an issue with openssl than the recommended cipher suites.
I think it is impossible to max out the various bars in the bar graph with these configurations (at least up to intermediate), but you can easily get A+ with latest stable nginx and intermediate config.
It should, or 'TLS/SSL'. But so many people - even in tech - still use 'SSL' as a synonym for 'PKI on the web' that it's better to be understood than correct (and yes it's a bit sad).
Each of the tools involved refer to their the overall https configuration as SSL.
Even if it's not the protocol which is being used, it's a reasonable choice for the tool name.
haproxy 1.5 supports SSL, and some people do use it as a frontend now.
A single core process won't be able to keep up with SSL handshakes though, since one core can only do around 500 RSA 2048-bit sign/s. Session resumption will help a lot, but I would still want to distribute RSA operations over multiple cores.
One comment that we get very often regards the ordering of the recommended ciphersuite. We've made some choices that are documented in [2] such as, for example, preferring AES 128 to 256 or maintaining compatibility with CAMELLIA and DES-CBC3-SHA in the intermediate configuration. The best place to discuss these choices is probably the `talk` section of the wiki page [3].
[1] https://wiki.mozilla.org/Security/Server_Side_TLS [2] https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritiza... [3] https://wiki.mozilla.org/Talk:Security/Server_Side_TLS