apache2 tls config with recent attacks in mind
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
www
INSTALL.md
README.md
apache-vhost.conf
benchmark.txt
installapache.sh

README.md

wasuptls

The goal of wasuptls is to provide an Apache2 configuration for websites with sensible data. It must be working today and not exclude any users. Instead users with unsafe browsers should be warned. wasuptls should be easy to embed in already existing websites.

The project consists of three parts which should be used together.

  • Apache2 config file
  • Server-side script TLS information
  • Client-side script to warn users with unsafe browsers

The logic is in the combination of Apache configuration and JS, server-side script is just glue.

Decisions

  • Based on stable software (Debian wheezy, OpenSSL 1.0.1e and Apache 2.4)
  • Export TLS information via SSI, but easy to do in any language
  • BEAST is considered to be mitigated client-side, Priority is Forward Secrecy -> no RC4
  • Prefer ECDHE over DHE
  • HTTP Strict Transport Security
  • No Keypinning as it isn't stable at the moment.

Benchmarks

Sources