lua-http icon indicating copy to clipboard operation
lua-http copied to clipboard

Published 20 hours ago verified publisher icon daurnimator

New default TLS options

Open bigben93 opened this issue 2 years ago • 1 comments

I tested default settings of lua-http server with testssl command. The worst problems:

Testing protocols via sockets except NPN+ALPN

SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 h2, http/1.1 (offered)

and

Testing vulnerabilities [...] Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat [...]

To fix these problems HTTPS server must be run with additional TLS flags: OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_RENEGOTIATION.

I think it would be a good idea to provide better security "out of the box".

bigben93 avatar Aug 23 '23 13:08 bigben93

See https://github.com/daurnimator/lua-http/pull/217

daurnimator avatar Aug 28 '23 11:08 daurnimator