New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[mod_openssl] Allow to selectively disable TLS 1.0, 1.1 and 1.2 versions #84

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@lima-j

lima-j commented Aug 16, 2017

Up until now, lighttpd allowed to disable SSLv2 and SSLv3 through the ssl.use-sslv2 and ssl.use-sslv2 lighttpd.conf options, however the same was not offered to selectively disable TLS versions.

On the lighttpd forum, only enabling the TLS 1.2 ciphers is suggested as a mitigation to disable TLS 1.0 (https://redmine.lighttpd.net/boards/2/topics/5797), however it disables TLS 1.1 as well.

This patch adds the option to selectively disable the TLS versions (using OpenSSL's SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2 parameters), without having to change the cipher suite configuration, by adding the ssl.use-tlsv10, ssl.use-tlsv11 and ssl.use-tlsv12 lighttpd.conf options.

@gstrauss

This comment has been minimized.

Member

gstrauss commented Aug 20, 2017

Thanks for the patch. However, I'm looking to combine these directives into a single directive rather than having an ever-increasing number of directives to manage "allowed SSL/TLS versions". I might have some time to prototype something in Sept, but you're more than welcome to have a go at it.

@lima-j

This comment has been minimized.

lima-j commented Aug 21, 2017

Hi Glenn,

Thanks for your response. I assume that you won't accept this patch then, is that correct?

Could you elaborate a bit on what you envision for that single directive thingy? I can try to give it a look in the meantime, if it is of any help to you.

@lima-j

This comment has been minimized.

lima-j commented Oct 3, 2017

Hi Glenn,

I haven't got a response from you to my previous message.

I may have some time to contribute a definitive fix for this issue, if you're not going to accept the one I'm pulling here, but would like to hear more from you on what you expect it to be.

@stbuehler

This comment has been minimized.

Member

stbuehler commented Oct 3, 2017

Not sure what @gstrauss has in mind, but maybe something based on SSL_CONF_* (see https://wiki.openssl.org/index.php/Manual:SSL_CONF_cmd(3)).

@gstrauss

This comment has been minimized.

Member

gstrauss commented Oct 4, 2017

@lima-j sorry I have not had a chance to get to this yet. Yes, @stbuehler is on the mark. Rather than a growing list of directives to address the multitude of options, I'd like to provide some interface to something like https://wiki.openssl.org/index.php/Manual:SSL_CONF_cmd(3)

@gstrauss

This comment has been minimized.

Member

gstrauss commented Nov 5, 2017

@lima-j please have a look at gstrauss@c09acbe for new, experimental ssl.openssl.ssl-conf-cmd directive

@lima-j

This comment has been minimized.

lima-j commented Dec 5, 2017

@gstrauss it looks good, thanks for letting me know!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment