Hello HN, author of Server Side TLS [1] and co-maintainer of the conf generator here. Thanks for pushing this tool to the front page :) We've been improving our guidelines and this generator for the past year and a half, and while it in a pretty good shape, we always welcome comments and pull requests.
One comment that we get very often regards the ordering of the recommended ciphersuite. We've made some choices that are documented in [2] such as, for example, preferring AES 128 to 256 or maintaining compatibility with CAMELLIA and DES-CBC3-SHA in the intermediate configuration. The best place to discuss these choices is probably the `talk` section of the wiki page [3].
Feature request: can openssl version and nginx version be dropdowns? For example, I know I'm on latest stable nginx, but I don't know what exact version number it is, and it's not obvious that the configuration will change if you update these values.
@IgorPartola, sure thing (author of the conf generator here)! Go and and request it here ( https://github.com/mozilla/server-side-tls/issues ) and if you've got a lead on a canonical list of versions to work from that would help.
You can find a list of nginx's versions simply from the download directory: http://nginx.org/download/ - I know that much.
By the way... DSS? Is anyone anywhere using DSS certificates on the internet anymore? (And would they still be 1024-bit?) Let alone anyone who might actually read configuration advice? I didn't see any hosts presenting one last time I ran a survey, but I wouldn't swear to that being complete (maybe they only present it to certain clients?).
It's a tricky thing to do because of all the possible versions of all the possible web servers. The dropdown would end up being rather long, and require maintaining a list in the code. And then there's distribution specific backports, etc...
So we tabled this problem for now and went with a free field, but please do open a github issue and we'll add look for ways to do it.
I'd suggest the dropdown re-populate based on the server selected and be based on the cutoffs you use for the different configurations it generates. So, if you select Apache, it'd give you something like 1.x, 2.1.0 - 2.2.x, 2.3.x, etc based on which versions share configurations.
Well, for the GP the 'feature' might be to allow a 'latest' version string already?
Keeping track of each released version is probably a huge pain in the .. back. But 'latest' (which isn't selected for openssl for me, for example: It shows 0.9.8.h atm) might already help to get the most fitting configuration for the current set of software?
I assume you don't care about individual releases _unless_ they change the configuration syntax/offer different cipher options?
One comment that we get very often regards the ordering of the recommended ciphersuite. We've made some choices that are documented in [2] such as, for example, preferring AES 128 to 256 or maintaining compatibility with CAMELLIA and DES-CBC3-SHA in the intermediate configuration. The best place to discuss these choices is probably the `talk` section of the wiki page [3].
[1] https://wiki.mozilla.org/Security/Server_Side_TLS [2] https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritiza... [3] https://wiki.mozilla.org/Talk:Security/Server_Side_TLS