Simple-Web-Server: Difference between revisions
(Created page with "The best C++ https code I found during my 2016/08 search. I'm contributing to keep its ciphers etc. up-to-date so it can maintain an A on [https://www...") |
No edit summary |
||
| Line 1: | Line 1: | ||
The best C++ https code I found during my [[C++ https libraries|2016/08 search]]. | The best C++ https code I found during my [[C++ https libraries|2016/08 search]]. [https://github.com/eidheim Ole Christian Eidheim], the author, is great, he answered my emails and accepted my pull requests. | ||
Ole | == Security Concerns == | ||
* I'm contributing to keep SWS ciphers etc. up-to-date so it can maintain an A on [https://www.ssllabs.com/ssltest/index.html its ssl tests]. | |||
* [https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ This blog entry] has been kept up to date with recommendations and solutions. | |||
* Use nothing older than tlsv12. Pull request applied, fixed. | |||
* Use AES not RC4. This requires setting OpenSSL options. Ole advised on how to update the ciphers. I'm investigating. | |||
* Need HSTS headers to allow perfect forward secrecy. | |||
== AES discussion == | |||
eidheim commented 3 hours ago | |||
I found only this: https://github.com/zaphoyd/websocketpp/blob/master/examples/echo_server_tls/echo_server_tls.cpp#L124. Here OpenSSL is used directly to disable RC4 I think (...:!RC4:...). See here for documentation of the command: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_cipher_list.html. The SSL_CTX* is reached by doing context.native_handle() in https_server.hpp if I'm not mistaken. Although which ciphers should be included otherwise I'm not sure of, however, it should be possible to receive the cipher list from SSL_CTX_get_ciphers (https://www.openssl.org/docs/manmaster/ssl/SSL_get_ciphers.html), that is instead of hardcoding them like in https://github.com/zaphoyd/websocketpp/blob/master/examples/echo_server_tls/echo_server_tls.cpp#L124. | |||
@moodboom | |||
moodboom commented 3 hours ago | |||
Cool. Here's the analysis that led me to think AES was the correct choice: | |||
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |||
I'll try hardcoding a recommended cipher from there as the default and see what I get. If that works, maybe we can provide a cipher option to the user? | |||
Including support for HSTS seems to be the other important concern. | |||
Revision as of 16:45, 21 August 2016
The best C++ https code I found during my 2016/08 search. Ole Christian Eidheim, the author, is great, he answered my emails and accepted my pull requests.
Security Concerns
- I'm contributing to keep SWS ciphers etc. up-to-date so it can maintain an A on its ssl tests.
- This blog entry has been kept up to date with recommendations and solutions.
- Use nothing older than tlsv12. Pull request applied, fixed.
- Use AES not RC4. This requires setting OpenSSL options. Ole advised on how to update the ciphers. I'm investigating.
- Need HSTS headers to allow perfect forward secrecy.
AES discussion
eidheim commented 3 hours ago I found only this: https://github.com/zaphoyd/websocketpp/blob/master/examples/echo_server_tls/echo_server_tls.cpp#L124. Here OpenSSL is used directly to disable RC4 I think (...:!RC4:...). See here for documentation of the command: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_cipher_list.html. The SSL_CTX* is reached by doing context.native_handle() in https_server.hpp if I'm not mistaken. Although which ciphers should be included otherwise I'm not sure of, however, it should be possible to receive the cipher list from SSL_CTX_get_ciphers (https://www.openssl.org/docs/manmaster/ssl/SSL_get_ciphers.html), that is instead of hardcoding them like in https://github.com/zaphoyd/websocketpp/blob/master/examples/echo_server_tls/echo_server_tls.cpp#L124. @moodboom
moodboom commented 3 hours ago Cool. Here's the analysis that led me to think AES was the correct choice:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
I'll try hardcoding a recommended cipher from there as the default and see what I get. If that works, maybe we can provide a cipher option to the user?
Including support for HSTS seems to be the other important concern.