-
-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[enh] ECDH Curves #454
[enh] ECDH Curves #454
Conversation
@@ -19,6 +19,7 @@ server { | |||
ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem; | |||
ssl_session_timeout 5m; | |||
ssl_session_cache shared:SSL:50m; | |||
ssl_ecdh_curve secp521r1:secp384r1:prime256v1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uh could you elaborate on where those come from ? For instance for the ciphers we cite the mozilla source which is kinda trustable, since all those things are touchy security stuff...
Also how do you know this related to the DH params ? Does that mean we don't need the ssl_dhparam thingy at all ? Or are those DH params but only for eliptic curve ciphers ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just read this : https://wiki.mozilla.org/Security/Server_Side_TLS ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was just to change the description from just "security problem"...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not cyphers btw....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alrighty, I just moved the instructions right next to the other cipher-related things, since that's the same reference ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
euh... but these are the same ecdh crurves for the two... modern or intermediate... so I thought/think it's better to set it at the top. like this the final user will be completely lost and perhaps not enable this.
I need test on jessie server for the X25519 curve. |
I don't think the X25519 works on Jessie. Can someone just add this line on his/her server just to check. It won't break installation for information. |
ok, it's ok now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The problem
Solution
PR Status
How to test
Validation