New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update ECDH curves recommended by Mozilla, now that we are on stretch #579

Merged
merged 2 commits into from Nov 27, 2018

Conversation

4 participants
@liberodark
Copy link
Contributor

liberodark commented Nov 22, 2018

Better security is option is not recommended.

The problem

...

Solution

...

PR Status

...

How to test

...

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :
Update server.tpl.conf
For low CPU usage and better scurity
@frju365

This comment has been minimized.

Copy link
Member

frju365 commented Nov 22, 2018

Can you add a description of source and perhaps of example of online conf which had removed it ?

For the conf I based my conf on this conf but it's doesn't remove this part.

@liberodark

This comment has been minimized.

@frju365 frju365 added this to In progress in Yunohost Security Nov 22, 2018

@@ -37,7 +37,7 @@ server {
# ssl_ecdh_curve secp521r1:secp384r1:prime256v1;

This comment has been minimized.

@alexAubin

alexAubin Nov 22, 2018

Member

Note the comment here, which apparently was meant to be used once on Stretch...

@zamentur zamentur changed the title Update server.tpl.conf Remove ECDH curve or change it ? Nov 22, 2018

@alexAubin

This comment has been minimized.

Copy link
Member

alexAubin commented Nov 23, 2018

Note that this was introduced in #454 initially, according to https://wiki.mozilla.org/Security/Server_Side_TLS, which is also the source for the cipher list currently used.

So I don't know who are these probetech guys, but again, naively I'd rather trust Mozilla on this...

@frju365

This comment has been minimized.

Copy link
Member

frju365 commented Nov 23, 2018

But, we can perhaps enable stretch compatibility (the curves which were in comment)

@alexAubin

This comment has been minimized.

Copy link
Member

alexAubin commented Nov 23, 2018

But, we can perhaps enable stretch compatibility (the curves which were in comment)

Yes 👍

@alexAubin

This comment has been minimized.

Copy link
Member

alexAubin commented Nov 27, 2018

So as discussed, we shall instead use the curves recommended by Mozilla, now that they are available on Stretch.

I'm yolomerging this as it was already agreed in previous PR (we just fell back to curves available on jessie while we were waiting for stretch)

@alexAubin alexAubin changed the title Remove ECDH curve or change it ? Update ECDH curves recommended by Mozilla, now that we are on stretch Nov 27, 2018

@alexAubin alexAubin added this to the 3.4.x milestone Nov 27, 2018

@alexAubin alexAubin merged commit 1906692 into YunoHost:stretch-unstable Nov 27, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

Yunohost Security automation moved this from In progress to Done Nov 27, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment