Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server Side TLS 5.0 #255

Merged
merged 8 commits into from Jun 28, 2019

Conversation

Projects
None yet
2 participants
@april
Copy link
Contributor

commented Jun 25, 2019

Fixes #217, #211, #191, and #178.

april added some commits Jun 25, 2019

@april april referenced this pull request Jun 26, 2019

Closed

Server Side TLS v5.0 #178

@april april referenced this pull request Jun 26, 2019

Closed

Server Side TLS v5.0 #183

The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. Each level shows the list of algorithms returned by its ciphersuite. If you have to pick ciphers manually for your application, make sure you keep the ordering.

The ciphersuite numbers listed come from the IANA [https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 TLS Cipher Suite Registry]. Previous versions of these recommendations included draft numbers for ECDHE-ECDSA-CHACHA20-POLY1305 (0xCC,0x14) and ECDHE-RSA-CHACHA20-POLY1305 (0xCC,0x13).
<p style="max-width: 60em;">OpenSSL will ignore cipher suites it doesn't understand, so always use the full set of cipher suites below, in their recommended order. The use of the <span style="color: gray; font-weight: bold;">Old</span> configuration with modern versions of OpenSSL may require custom builds with support for SSLv3 and deprecated ciphers.</p>

This comment has been minimized.

Copy link
@nmxcgeo

nmxcgeo Jun 28, 2019

Why do you mention enabling SSLv3 via custom builds, when SSLv2 and SSLv3 will be abandoned by this guide after this PR is merged? However a custom OpenSSL build for TLSv1.0 and TLSv1.1 might be necessary (e.g. for upcoming Debian 10).

This comment has been minimized.

Copy link
@april

april Jun 28, 2019

Author Contributor

Because you have to enable SSLv3 in the build to get access to 3DES. :)

This comment has been minimized.

Copy link
@april

april Jun 28, 2019

Author Contributor

That said, I can see how that would be confusing, so I'll trim it up a little bit.

april added some commits Jun 28, 2019

@april april merged commit 12fda41 into mozilla:gh-pages Jun 28, 2019

@april

This comment has been minimized.

Copy link
Contributor Author

commented Jun 28, 2019

Thanks for everyone's hard work on this. It's been a long journey, but we finally got there. :)

april added a commit to april/server-side-tls that referenced this pull request Jul 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.