duraconf
duraconf copied to clipboard
ioerror
duraconf - A collection of hardened configuration files for SSL/TLS services
This patch enables support for TLSv1.1 and TLSv1.2 on nginx.
This is based upon recommendation from Qualys...which seems pretty reasonable.
The NameVirtualHost directive no longer has any effect, other than to emit a warning. Any address/port combination appearing in multiple virtual hosts is implicitly treated as a name-based virtual host....
I'm wondering if someone has researched node's TLS module yet. From my limited testing, it looks a bit dire as PFS doesn't seem achievable without the support of ECDHE ciphers...
When I used the ciphers listed in the nginx example, and ran the [Qualys SSL server test](https://www.ssllabs.com/ssltest/index.html), I was informed that it was vulnerable to BEAST. I've used `ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH` instead.
In particular, this comment on HSTS could be misinterpreted: "This configuation does not include the HSTS header to ensure that users do not accidentally connect to an insecure HTTP service...
I discovered that this line in the nginx file prevents Internet Explorer 9 and earlier from connecting to the server: ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; It seems to actually work in IE 10....
