On 06/08/2019 11:21, Chitrang Srivastava wrote: > Yes , since in my case mostly browser will be used to access webserver running > on embedded platform. > Another question, since my webserver is running on embedded platform and it has > limited memory , I have disabled > ARIA/CAMELLIA and few others, is that OK ? because I don't see any ciphers > suites which is used in practice. Yes, that should be fine. Matt > > > > On Tue, Aug 6, 2019 at 3:42 PM Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx>> wrote: > > > > On 06/08/2019 11:07, Chitrang Srivastava wrote: > > Thanks Matt, > > > > So now I have, which i believe is enough ? > > > > SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION | > > SSL_OP_CIPHER_SERVER_PREFERENCE); > > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION); > > This is fine although it obviously prevents connections from very old clients > that don't support TLSv1.2. This might not be a problem for you depending on > your situation. > > Matt > > > > > On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx> > > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>> wrote: > > > > > > > > On 06/08/2019 09:42, Chitrang Srivastava wrote: > > > Hi, > > > > > > I am implementing HTTPs server using openssl 1.1.1b. > > > Is it mandatory to setup these API's while creating ssl context ? > > > > > > SSL_CTX_set_tmp_ecdh > > > > > > SSL_CTX_set_tmp_dh > > > > By default OpenSSL will automatically use ECDH if appropriate and choose a > > suitable group so there is no need to call SSL_CTX_set_tmp_ecdh() > unless you > > want more control over which specific group is used. > > > > OpenSSL will not use DH unless you specifically configure it. If you > want to > > make use of DH based ciphersuites then you must either call > SSL_CTX_set_tmp_dh() > > or SSL_CTX_set_dh_auto() (or the SSL_* equivalents). Calling the > former enables > > you to configure any arbitrary DH group that you choose. Calling the > latter will > > enable the built-in DH groups. > > > > It is not mandatory to call any of the above. > > > > > > > > Also any suggestion what all options one should set while setting up > > server like > > > SSL_CTX_set_options like SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3 > > > > Don't use the protocol version specific options at all. Use > > SSL_CTX_set_min_proto_version() if you want to specify a minimum protocol > > version. SSLv2 is no longer supported at all. SSLv3 is compiled out by > default. > > > > Other options that are worth considering are SSL_OP_NO_RENEGOTIATION and > > (possibly) SSL_OP_CIPHER_SERVER_PREFERENCE. Generally you don't need > the others > > unless there is a specific problem you are trying to solve. > > > > Matt > > >
