OLS 1.4.6 dhparam file not working ?
53 views
Skip to first unread message
George Liu
Mar 28, 2015, 3:19:56 AM3/28/15
to openlitespee...@googlegroups.com
Test OLS 1.4.6 site at https://h2ohttp2.centminmod.com:8099/flags.html
cipherscan https://github.com/jvehent/cipherscan reports DH,1024bits and not DH, 4096bits I have set when I created my dhparam file which is using same dhparam file i use for Nginx SPDY/3.1 ssl and h2o HTTP/2 server as both Nginx, h2o and OLS are on same server
OLS settings at custom SSL listener level mapped to site at https://h2ohttp2.centminmod.com:8099/flags.html
Enable DH Key Exchange Yes
DH Parameter /usr/local/nginx/conf/ssl/centminmod.com/dhparam4096.pem
also tried DH Paramter = /usr/local/lsws/admin/conf/dhparam4096.pem and still reports as 1024bits while Nginx and h2o report 4096 bits
cipherscan h2ohttp2.centminmod.com:8099
....................
Target: h2ohttp2.centminmod.com:8099
prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
3 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,1024bits
5 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,1024bits
6 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
7 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
8 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True None True ECDH,P-256,256bits
9 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
10 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,1024bits
11 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,1024bits
12 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,1024bits
13 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,1024bits
14 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
15 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
16 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
17 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True
19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True
OCSP stapling: supported
Server side cipher ordering
here's Nginx SPDY/3.1 with
ssl_dhparam /usr/local/nginx/conf/ssl/centminmod.com/dhparam4096.pem;
cipherscan h2ohttp2.centminmod.com:443
....................
Target: h2ohttp2.centminmod.com:443
prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True ECDH,P-256,256bits
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True ECDH,P-256,256bits
3 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True ECDH,P-256,256bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True DH,4096bits
5 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True DH,4096bits
6 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True ECDH,P-256,256bits
7 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 43200 True ECDH,P-256,256bits
8 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True None True ECDH,P-256,256bits
9 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 43200 True ECDH,P-256,256bits
10 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True DH,4096bits
11 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 43200 True DH,4096bits
12 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True DH,4096bits
13 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 43200 True DH,4096bits
14 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True
15 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True
16 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True
17 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 43200 True
18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 43200 True
19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 43200 True
OCSP stapling: supported
Server side cipher ordering
George Liu
Mar 31, 2015, 6:31:22 PM3/31/15
to openlitespee...@googlegroups.com
maybe related i have set
DH Parameter /usr/local/lsws/admin/conf/dhparam4096.pem
in my lsws logs i see
2015-03-31 22:28:34.488 ERROR [config:server:listener:SSL HOSTS:ssl] Path for DH Parameter file is not accessible: /usr/local/lsws/admin/conf/dhparam4096.pem/
2015-03-31 22:28:34.488 WARN [config:server:listener:SSL HOSTS:ssl] invalid path for DH paramter: /usr/local/lsws/admin/conf/dhparam4096.pem, ignore and use built-in DH parameter!
George Wang
Mar 31, 2015, 7:03:12 PM3/31/15
to openlitespee...@googlegroups.com
must be treating it as directory path. should be easy to fix.
On 3/31/2015 6:31 PM, George Liu wrote:
> maybe related i have set
>
> DH Parameter/usr/local/lsws/admin/conf/dhparam4096.pem
>
> in my lsws logs i see
>
> 2015-03-31 22:28:34.488ERROR[config:server:listener:SSL HOSTS:ssl] Path
> ....................
> Target: h2ohttp2.centminmod.com:8099
> <http://h2ohttp2.centminmod.com:8099>
> <http://centminmod.com/dhparam4096.pem>;
>
> cipherscan h2ohttp2.centminmod.com:443
> <http://h2ohttp2.centminmod.com:443>
> ....................
> Target: h2ohttp2.centminmod.com:443 <http://h2ohttp2.centminmod.com:443>
> --
> You received this message because you are subscribed to the Google
> Groups "OpenLiteSpeed Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to openlitespeed-deve...@googlegroups.com
> <mailto:openlitespeed-deve...@googlegroups.com>.
> To post to this group, send email to
> openlitespee...@googlegroups.com
> <mailto:openlitespee...@googlegroups.com>.
> Visit this group at
> http://groups.google.com/group/openlitespeed-development.
> For more options, visit https://groups.google.com/d/optout.
On 3/31/2015 6:31 PM, George Liu wrote:
> maybe related i have set
>
> DH Parameter/usr/local/lsws/admin/conf/dhparam4096.pem
>
> in my lsws logs i see
>
> for DH Parameter file is not accessible:
> /usr/local/lsws/admin/conf/dhparam4096.pem/
> 2015-03-31 22:28:34.488WARN[config:server:listener:SSL HOSTS:ssl]
> /usr/local/lsws/admin/conf/dhparam4096.pem/
> invalid path for DH paramter:
> /usr/local/lsws/admin/conf/dhparam4096.pem, ignore and use built-in DH
> parameter!
>
>
> On Saturday, March 28, 2015 at 5:19:56 PM UTC+10, George Liu wrote:
>
> Test OLS 1.4.6 site
> at https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> cipherscan https://github.com/jvehent/cipherscan
> <https://github.com/jvehent/cipherscan> reports DH,1024bits and not
> DH, 4096bits I have set when I created my dhparam file which is
> using same dhparam file i use for Nginx SPDY/3.1 ssl and h2o HTTP/2
> server as both Nginx, h2o and OLS are on same server
>
> OLS settings at custom SSL listener level mapped to site at
> https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> Enable DH Key ExchangeYes
> DH Parameter/usr/local/nginx/conf/ssl/centminmod.com/dhparam4096.pem
> <http://centminmod.com/dhparam4096.pem>
> /usr/local/lsws/admin/conf/dhparam4096.pem, ignore and use built-in DH
> parameter!
>
>
> On Saturday, March 28, 2015 at 5:19:56 PM UTC+10, George Liu wrote:
>
> Test OLS 1.4.6 site
> at https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> cipherscan https://github.com/jvehent/cipherscan
> <https://github.com/jvehent/cipherscan> reports DH,1024bits and not
> DH, 4096bits I have set when I created my dhparam file which is
> using same dhparam file i use for Nginx SPDY/3.1 ssl and h2o HTTP/2
> server as both Nginx, h2o and OLS are on same server
>
> OLS settings at custom SSL listener level mapped to site at
> https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> Enable DH Key ExchangeYes
> DH Parameter/usr/local/nginx/conf/ssl/centminmod.com/dhparam4096.pem
>
> also tried DH Paramter = /usr/local/lsws/admin/conf/dhparam4096.pem
> and still reports as 1024bits while Nginx and h2o report 4096 bits
>
> cipherscan h2ohttp2.centminmod.com:8099
> <http://h2ohttp2.centminmod.com:8099>
> also tried DH Paramter = /usr/local/lsws/admin/conf/dhparam4096.pem
> and still reports as 1024bits while Nginx and h2o report 4096 bits
>
> cipherscan h2ohttp2.centminmod.com:8099
> ....................
> Target: h2ohttp2.centminmod.com:8099
> <http://h2ohttp2.centminmod.com:8099>
>
> cipherscan h2ohttp2.centminmod.com:443
> <http://h2ohttp2.centminmod.com:443>
> ....................
> Target: h2ohttp2.centminmod.com:443 <http://h2ohttp2.centminmod.com:443>
> You received this message because you are subscribed to the Google
> Groups "OpenLiteSpeed Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to openlitespeed-deve...@googlegroups.com
> <mailto:openlitespeed-deve...@googlegroups.com>.
> To post to this group, send email to
> openlitespee...@googlegroups.com
> <mailto:openlitespee...@googlegroups.com>.
> Visit this group at
> http://groups.google.com/group/openlitespeed-development.
> For more options, visit https://groups.google.com/d/optout.
George Wang
Apr 1, 2015, 9:40:12 AM4/1/15
to openlitespee...@googlegroups.com
Following patch will fix this
diff --git src/sslpp/sslcontext.cpp src/sslpp/sslcontext.cpp
index 00ea34d..b56b71f 100644
--- src/sslpp/sslcontext.cpp
+++ src/sslpp/sslcontext.cpp
@@ -1180,7 +1180,7 @@ SSLContext *SSLContext::config(const XmlNode *pNode)
const char *pDHParam = pNode->getChildValue("DHParam");
if (pDHParam)
{
- if (ConfigCtx::getCurConfigCtx()->getValidPath(achCAPath,
pDHParam,
+ if (ConfigCtx::getCurConfigCtx()->getValidFile(achCAPath,
pDHParam,
"DH Parameter file") != 0)
{
ConfigCtx::getCurConfigCtx()->logWarn("invalid path for
DH paramter: %s, ignore and use built-in DH parameter!",
Thanks,
George Wang
On 3/31/2015 6:31 PM, George Liu wrote:
> ....................
> Target: h2ohttp2.centminmod.com:8099
> <http://h2ohttp2.centminmod.com:8099>
> <http://h2ohttp2.centminmod.com:443>
> ....................
> Target: h2ohttp2.centminmod.com:443 <http://h2ohttp2.centminmod.com:443>
diff --git src/sslpp/sslcontext.cpp src/sslpp/sslcontext.cpp
index 00ea34d..b56b71f 100644
--- src/sslpp/sslcontext.cpp
+++ src/sslpp/sslcontext.cpp
@@ -1180,7 +1180,7 @@ SSLContext *SSLContext::config(const XmlNode *pNode)
const char *pDHParam = pNode->getChildValue("DHParam");
if (pDHParam)
{
- if (ConfigCtx::getCurConfigCtx()->getValidPath(achCAPath,
pDHParam,
+ if (ConfigCtx::getCurConfigCtx()->getValidFile(achCAPath,
pDHParam,
"DH Parameter file") != 0)
{
ConfigCtx::getCurConfigCtx()->logWarn("invalid path for
DH paramter: %s, ignore and use built-in DH parameter!",
Thanks,
George Wang
On 3/31/2015 6:31 PM, George Liu wrote:
> maybe related i have set
>
> DH Parameter/usr/local/lsws/admin/conf/dhparam4096.pem
>
> in my lsws logs i see
>
> 2015-03-31 22:28:34.488ERROR[config:server:listener:SSL HOSTS:ssl] Path
>
> DH Parameter/usr/local/lsws/admin/conf/dhparam4096.pem
>
> in my lsws logs i see
>
> for DH Parameter file is not accessible:
> /usr/local/lsws/admin/conf/dhparam4096.pem/
> 2015-03-31 22:28:34.488WARN[config:server:listener:SSL HOSTS:ssl]
> /usr/local/lsws/admin/conf/dhparam4096.pem/
> invalid path for DH paramter:
> /usr/local/lsws/admin/conf/dhparam4096.pem, ignore and use built-in DH
> parameter!
>
>
> On Saturday, March 28, 2015 at 5:19:56 PM UTC+10, George Liu wrote:
>
> Test OLS 1.4.6 site
> at https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> cipherscan https://github.com/jvehent/cipherscan
> <https://github.com/jvehent/cipherscan> reports DH,1024bits and not
> DH, 4096bits I have set when I created my dhparam file which is
> using same dhparam file i use for Nginx SPDY/3.1 ssl and h2o HTTP/2
> server as both Nginx, h2o and OLS are on same server
>
> OLS settings at custom SSL listener level mapped to site at
> https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> /usr/local/lsws/admin/conf/dhparam4096.pem, ignore and use built-in DH
> parameter!
>
>
> On Saturday, March 28, 2015 at 5:19:56 PM UTC+10, George Liu wrote:
>
> Test OLS 1.4.6 site
> at https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> cipherscan https://github.com/jvehent/cipherscan
> <https://github.com/jvehent/cipherscan> reports DH,1024bits and not
> DH, 4096bits I have set when I created my dhparam file which is
> using same dhparam file i use for Nginx SPDY/3.1 ssl and h2o HTTP/2
> server as both Nginx, h2o and OLS are on same server
>
> OLS settings at custom SSL listener level mapped to site at
> https://h2ohttp2.centminmod.com:8099/flags.html
> <https://h2ohttp2.centminmod.com:8099/flags.html>
>
> Enable DH Key ExchangeYes
> DH Parameter/usr/local/nginx/conf/ssl/centminmod.com/dhparam4096.pem
> <http://centminmod.com/dhparam4096.pem>
>
> DH Parameter/usr/local/nginx/conf/ssl/centminmod.com/dhparam4096.pem
> <http://centminmod.com/dhparam4096.pem>
>
> also tried DH Paramter = /usr/local/lsws/admin/conf/dhparam4096.pem
> and still reports as 1024bits while Nginx and h2o report 4096 bits
>
> cipherscan h2ohttp2.centminmod.com:8099
> <http://h2ohttp2.centminmod.com:8099>
> and still reports as 1024bits while Nginx and h2o report 4096 bits
>
> cipherscan h2ohttp2.centminmod.com:8099
> ....................
> Target: h2ohttp2.centminmod.com:8099
> <http://h2ohttp2.centminmod.com:8099>
> ....................
> Target: h2ohttp2.centminmod.com:443 <http://h2ohttp2.centminmod.com:443>
George Liu
Apr 2, 2015, 1:26:29 AM4/2/15
to openlitespee...@googlegroups.com
not sure if the formatting on google groups messed with your patch, but is this correct https://bitbucket.org/snippets/eva2000/kraK ?
thanks
George
George Liu
Apr 3, 2015, 4:40:24 PM4/3/15
to openlitespee...@googlegroups.com
I updated to Openlitespeed 1.4.7 and that fixed it dhparam 4096 bit file detected properly now in testssl scan
prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
3 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,4096bits
5 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,4096bits
6 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
7 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
8 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True None True ECDH,P-256,256bits
9 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True ECDH,P-256,256bits
10 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,4096bits
11 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,4096bits
12 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,4096bits
13 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True DH,4096bits
14 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
15 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
16 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
17 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 300 True
18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True
19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 300 True
OCSP stapling: supported
Server side cipher ordering
cheers
George
On Wednesday, April 1, 2015 at 11:40:12 PM UTC+10, George Wang wrote:
Reply all
Reply to author
Forward
0 new messages