Skip to content

Add DH instructions to Plug.SSL #747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 7, 2018
Merged

Add DH instructions to Plug.SSL #747

merged 2 commits into from
Aug 7, 2018

Conversation

@voltone
Copy link
Contributor

@voltone voltone commented Aug 5, 2018

See discussion in #700

@voltone voltone mentioned this pull request Aug 5, 2018
Closed
fertapric
fertapric reviewed Aug 5, 2018
View reviewed changes
lib/plug/ssl.ex Outdated
openssl dhparam -out dhparam.pem 4096
On a slow machine (e.g. a cheap VPS) this may take several hours. You may want
to run the command on a stong machine and copy the file over: the file does
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: s/stong/strong/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, thanks!

@fertapric
Copy link
Contributor

Is there any link we can provide to developers to get further information?

@voltone
Copy link
Contributor Author

voltone commented Aug 5, 2018

OWASP, which we cited for the cipher suite selection, doesn't have all that much on the topic:
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Prefer_Ephemeral_Key_Exchanges

There are various answers on https://crypto.stackexchange.com/ but they tend to be too academic/mathematical, or outdated. Similarly, the classical paper on the subject (https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf) makes interesting reading, but is probably not much practical help for most users.

I feel like the docs for Plug.SSL are getting a bit unwieldy, so perhaps we should consider moving some of the background and links to a guide on Hexdocs.

@josevalim
Copy link
Member

@voltone this looks great! I think a Plug page on SSL best practices could also be very very welcome. Starting with the basics, mentioning the HTTP 2 requirement, and then talking about Plug.SSL as a plug and finally how to configure adapters (effectively Plug.SSL.configure/1) and common gotchas associated to it. If we have such page, then I agree we could move this there. What do you think?

@josevalim
Copy link
Member

I will merge this for now and we can open up a new issue to create the page. Thanks @voltone! ❤️ 💚 💙 💛 💜

@josevalim josevalim merged commit f5c26b3 into elixir-plug:master Aug 7, 2018
@josevalim josevalim mentioned this pull request Aug 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fertapric fertapric fertapric left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@voltone @fertapric @josevalim