Dear Gustaf!
It is working now (an A+) with my nssl setup[1]. I had to:
- Include StartSSL Certificates in certificado.pem. In these order:
Server Certificate
Subclase Certificate
Root Certificate
Private Key
DH parameters
- HEAD installation (I use hg pull / hg update in nssl module)
Thanks!
Cesáreo
[1] #---------------------------------------------------------------------
# Configuración Módulo SSL
# https://bitbucket.org/naviserver/nsssl
#---------------------------------------------------------------------
ns_section "ns/server/${server}/module/nsssl"
ns_param certificate $serverroot/etc/certificado.pem
# As in https://wiki.mozilla.org/Security/Server_Side_TLS
ns_param ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
ns_param protocols "SSLv3, TLSv1"
ns_param verify 0
ns_param extraheaders { Strict-Transport-Security
"max-age=31536000; includeSubDomains"}
El 24/abril/14 04:28, Gustaf Neumann escribió:
> Dear Cesáreo,
>
> Concerning the chain issue: the .pem file can/should contain multiple
> certificates (the chain).
> Instructions how to obtain the chain are usually available from your
> certificate provider
>
> http://superuser.com/questions/644343/how-do-you-fix-an-incomplete-ssl-chain
> http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
>
> From the qualys report for your site, it seems as if you have not
> configured
> HTTP Strict Transport Security correctly (see next-scripting.org for an
> example) yet.
> Note that you have to update and install naviserver to the tip version
> for this feature.
> When you connect to connect to your site via https, check via e.g.
> firebug, whether
> it sends the line "Strict-Transport-Security: max-age=31536000;
> includeSubDomains"
> in the response.
>
> all the best
> -gustaf neumann
>
> Am 22.04.14 16:23, schrieb Cesáreo García Rodicio:
>> Gustaf,
>>
>> Amazing Work! I build nsssl 0.6 and I add extraheaders and it seems to
>> work fine.
>>
>> But I had some "chain issues" yet (I only get an A rating, not A+).
>>
>> Do I have to add, I mean "echo whatever >> certificate.pem", to
>> certificate.pem?
>>
>> El 12/abril/14 14:54, Gustaf Neumann escribió:
>>> One more update: There is now an additional feature in NaviServer to
>>> allow a site admin to
>>> add extra reply header fields with little effort. The nssock and nsssl
>>> driver accept new a parameter
>>> extraheaders which contains an attribute/value list of extra reply
>>> header fields. By using e.g.
>>>
>>> ns_section ns/server/${servername}/module/nsssl
>>> ...
>>> ns_param extraheaders { Strict-Transport-Security
>>> "max-age=31536000; includeSubDomains"}
>>> ...
>>>
>>> one can activate HTTP Strict Transport Security (HSTS) for https
>>> connections. With this activated,
>>> one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs.
>>>
>>> all the best
>>> -gustaf neumann
>>>
>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>>> http://dev.chromium.org/sts
>>> https://tools.ietf.org/html/rfc6797
>>>
>>> Am 10.04.14 11:53, schrieb Gustaf Neumann:
>>>> Dear Friends,
>>>>
>>>> the bitbucket repository contains a new version of the nsssl module of
>>>> NaviServer that
>>>> makes it easier to obtain from Qualys SSL Labs an "A" rating with
>>>> actual versions
>>>> of openssl by supporting more ciphers.
>>>>
>>>> All the best
>>>> -gustaf neumann
>>>>
>>>> New in Version 0.5:
>>>> - Support for Elliptic Curve Cryptography
>>>> (such as Elliptic Curve Diffie-Hellman (ECDH))
>>>> - Provide compiled-in defaults for DH parameters
>>>> - Handling several SSL and TLS bugs.
>>>> - Deactivated SSLv2
>>>>
>
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
naviserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
