Deal all,
I'm using a wthttpd instance to serve a Wt app. I used
https://www.ssllabs.com/ to test the quality of its security settings.
So far, the highest achievable of wthttpd is an A-, because wthttpd is
not forcing forward secrecy upon clients that do support them, but do
not prefer them. The DH param option already helps, but is not sufficient.
My guess is that wthttpd will get proper support for forward secrecy if
server-side ciphers are preferred (and use the ones that use Ephemeral
Diffie-Hellman, DHE). The following would fix this:
Modify http/Configuration:
* add a sslPreferServerCiphers() (a boolean) option
Modify http/Server, around // HTTPS and int sslOptions:
if ( config.sslPreferServerCiphers() ) {
SSL_CTX_set_option( native_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE );
}
Thanks,
Rutger
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest
