Changeset facbb08 in mod_gnutls


Ignore:
Timestamp:
Aug 12, 2020, 5:20:36 PM (16 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, master
Children:
e080eef
Parents:
a66b5be
Message:

Update default priorities

This removes insecure and outdated things still included in the GnuTLS
priority set "NORMAL":

  • Plain RSA key exchange, which does not provide forward secrecy

Co-authored-by: Krista Karppinen <krista.celestia@…>

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.md

    ra66b5be rfacbb08  
    206206MACs and compression methods
    207207
    208     GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    209 
    210 Default: `NORMAL`\
     208    GnuTLSPriorities NORMAL:+CIPHER_0:-CIPHER_1:...:+CIPHER_N
     209
     210Default: `NORMAL:-RSA:-VERS-TLS1.0:-VERS-TLS1.1`\
    211211Context: server config, virtual host
    212212
     
    216216[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
    217217
    218 For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`.
     218Plain RSA, without (EC-)DH, is disabled by default because it doesn't
     219provide forward secrecy, TLS 1.0 and 1.1 have been deprecated as
     220insecure for a long time and are now disabled in most modern web
     221browsers.
    219222
    220223### GnuTLSP11Module
     
    515518methods for proxy connections
    516519
    517     GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    518 
    519 Default: `NORMAL`\
     520    GnuTLSProxyPriorities NORMAL:+CIPHER_0:-CIPHER_1:...:+CIPHER_N
     521
     522Default: `NORMAL:-RSA:-VERS-TLS1.0:-VERS-TLS1.1`\
    520523Context: server config, virtual host
    521524
     
    796799```
    797800
    798 This gives you an HTTPS site using the GnuTLS `NORMAL` set of
    799 ciphersuites. OCSP stapling will be enabled if the server certificate
    800 contains an OCSP URI, `conf/tls/site1_cert_chain.pem` contains the
    801 issuer certificate in addition to the server's, and
     801This gives you an HTTPS site using the default set of cipher suites
     802(see [`GnuTLSPriorities`](#gnutlspriorities)). OCSP stapling will be
     803enabled if the server certificate contains an OCSP URI,
     804`conf/tls/site1_cert_chain.pem` contains the issuer certificate in
     805addition to the server's, and
    802806[mod\_socache\_shmcb](http://httpd.apache.org/docs/current/en/mod/mod_socache_shmcb.html)
    803807is loaded.
  • src/gnutls_util.h

    ra66b5be rfacbb08  
    11/*
    2  *  Copyright 2016-2019 Fiona Klute
     2 *  Copyright 2016-2020 Fiona Klute
    33 *
    44 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    2727
    2828/** Default GnuTLS priority string for mod_gnutls */
    29 #define MGS_DEFAULT_PRIORITY "NORMAL"
     29#define MGS_DEFAULT_PRIORITY "NORMAL:-RSA:-VERS-TLS1.0:-VERS-TLS1.1"
    3030
    3131/** maximum allowed length of one header line */
Note: See TracChangeset for help on using the changeset viewer.