Re: SSL Server setup DH/ECDH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yes , since in my case mostly browser will be used to access webserver running on embedded platform.
Another question, since my webserver is running on embedded platform and it has limited memory , I have disabled
ARIA/CAMELLIA  and few others, is that OK ? because I don't see any ciphers suites which is used in practice.



On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:


On 06/08/2019 11:07, Chitrang Srivastava wrote:
> Thanks Matt,
>
> So now I have, which i believe is enough ?
>
> SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION |
> SSL_OP_CIPHER_SERVER_PREFERENCE);
> SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION);

This is fine although it obviously prevents connections from very old clients
that don't support TLSv1.2. This might not be a problem for you depending on
your situation.

Matt

>
> On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <matt@xxxxxxxxxxx
> <mailto:matt@xxxxxxxxxxx>> wrote:
>
>
>
>     On 06/08/2019 09:42, Chitrang Srivastava wrote:
>     > Hi,
>     >
>     > I am implementing HTTPs server using openssl 1.1.1b.
>     > Is it mandatory to setup these API's while creating ssl context ?
>     >
>     > SSL_CTX_set_tmp_ecdh
>     >
>     > SSL_CTX_set_tmp_dh
>
>     By default OpenSSL will automatically use ECDH if appropriate and choose a
>     suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() unless you
>     want more control over which specific group is used.
>
>     OpenSSL will not use DH unless you specifically configure it. If you want to
>     make use of DH based ciphersuites then you must either call SSL_CTX_set_tmp_dh()
>     or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the former enables
>     you to configure any arbitrary DH group that you choose. Calling the latter will
>     enable the built-in DH groups.
>
>     It is not mandatory to call any of the above.
>
>     >
>     > Also any suggestion what all options one should set while setting up
>     server like
>     > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3
>
>     Don't use the protocol version specific options at all. Use
>     SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol
>     version. SSLv2 is no longer supported at all. SSLv3 is compiled out by default.
>
>     Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and
>     (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need the others
>     unless there is a specific problem you are trying to solve.
>
>     Matt
>
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux