Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Feature request: can openssl version and nginx version be dropdowns? For example, I know I'm on latest stable nginx, but I don't know what exact version number it is, and it's not obvious that the configuration will change if you update these values.



@IgorPartola, sure thing (author of the conf generator here)! Go and and request it here ( https://github.com/mozilla/server-side-tls/issues ) and if you've got a lead on a canonical list of versions to work from that would help.


You can find a list of nginx's versions simply from the download directory: http://nginx.org/download/ - I know that much.

By the way... DSS? Is anyone anywhere using DSS certificates on the internet anymore? (And would they still be 1024-bit?) Let alone anyone who might actually read configuration advice? I didn't see any hosts presenting one last time I ran a survey, but I wouldn't swear to that being complete (maybe they only present it to certain clients?).


DSS will be removed in a future version of the ciphersuites. I believe support is being removed from Firefox too.


It's a tricky thing to do because of all the possible versions of all the possible web servers. The dropdown would end up being rather long, and require maintaining a list in the code. And then there's distribution specific backports, etc...

So we tabled this problem for now and went with a free field, but please do open a github issue and we'll add look for ways to do it.


I'd suggest the dropdown re-populate based on the server selected and be based on the cutoffs you use for the different configurations it generates. So, if you select Apache, it'd give you something like 1.x, 2.1.0 - 2.2.x, 2.3.x, etc based on which versions share configurations.


Well, for the GP the 'feature' might be to allow a 'latest' version string already?

Keeping track of each released version is probably a huge pain in the .. back. But 'latest' (which isn't selected for openssl for me, for example: It shows 0.9.8.h atm) might already help to get the most fitting configuration for the current set of software?

I assume you don't care about individual releases _unless_ they change the configuration syntax/offer different cipher options?


That's a valid point. I'd suggest capturing it in the issue https://github.com/mozilla/server-side-tls/issues/39

There's a number of edge cases but we can probably find a middle ground that works well enough for the general case.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: