[arch-devops] HTTP/2 on Luna
Hi all, I'd like to enable h2 on luna. Are there any objections? I have done this on my server already and it's pretty straight forward. We might need to adjust the ssl_ciphers configuration. ATM I use: ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 08.05.2016 18:31, Pierre Schmitz wrote:
I'd like to enable h2 on luna. Are there any objections?
If it doesn't cause any problems, no objection.
ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
I hope those are already set.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
This enables different ciphers than those published by bettercrypto.org which I believe we use. Especially it enables some DHE-DSS ciphers which I don't know anything about. I'm assuming it's a different name for DSA, but I wonder why those are not included in the bettercrypto suite. Additionally your suite would enable ECDHE-ECDSA ciphers which are also excluded by bettercrypto. Could you check why they specifically exclude them and if their reasoning matters for us? The bettercrypto.org list is `openssl ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' | tr ":" "\n"` while yours is `openssl ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | tr ":" "\n"`. I also just eyeballed the lists. You may want to diff them just in case I missed something. Florian
Regarding the cipher_list: As long you don't intend to switch to something else and keep using RSA certs, you can exclude everything with *-DSS-* and *-ECDSA-* anyway; it's just useless bloat in the initial handshake. FWIW, I copied (and trimmed, see above) the list from <https://weakdh.org/sysadmin.html>. --byte
On 08.05.2016 18:31, Pierre Schmitz wrote:
Hi all,
I'd like to enable h2 on luna. Are there any objections? I have done this on my server already and it's pretty straight forward. We might need to adjust the ssl_ciphers configuration.
I just configured h2 on luna (bbs,wiki,aur). The cipher configuration is complicated. The HTTP/2 spec blacklists a bunch of ciphers. In the end I relied on what Mozilla recommends. It's a good balance if we don't want to exclude too much clients. See: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10&openssl=1.0.2&hsts=yes&profile=intermediate http://http2.github.io/http2-spec/#rfc.section.9.2.2 https://www.ssllabs.com/ssltest/analyze.html?d=bbs.archlinux.org&hideResults=on Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
participants (3)
-
Florian Pritz
-
Jens Adam
-
Pierre Schmitz