[AOLSERVER] Updating Aolserver to use TLSv1.2
52 views
Skip to first unread message
Paula Giangeruso
Jun 23, 2015, 10:58:39 AM6/23/15
to aolserv...@lists.sourceforge.net
Does anyone have TLS v1.2 working on AOLserver? If so how did you go about doing this?
Thank You,
Paula
--
Paula Giangeruso - Vice President/Engineering
wineaccess ®
direct from the source
direct from the source
Scott Goodwin
Jun 23, 2015, 12:16:46 PM6/23/15
to Paula Giangeruso, aolserv...@lists.sourceforge.net
An AOLserver configuration file from an old server I used to run has this section defined:
ns_param Protocol "SSLv2, SSLv3, TLSv1" ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
From the OpenSSL documentation:
Only enable TLSv1.2:
SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
So I’d assume the following would restrict AOLserver to ONLY use TLS 1.2:
ns_param Protocol “-ALL,TLSv1.2" ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
/s.
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o_______________________________________________
aolserver-talk mailing list
aolserv...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/aolserver-talk
Scott Goodwin
Jun 23, 2015, 12:21:42 PM6/23/15
to Paula Giangeruso, aolserv...@lists.sourceforge.net
By the way, ignore my CipherSuite line in there — you obviously don’t want SSLv2, +LOW, +MEDIUM and other components - you’ll likely just want the TLS v1.2 ciphers, which are listed here:
Not sure what the CipherSuite string should look like to support that, but if I have time this week I’ll see if I can figure it out. Be aware that restricting to just TLS 1.2 may cause some older browsers to not work with your site, but I haven’t done hands-on work in this area in years, so I’m not up-to-date on proper configurations.
/s.
Gustaf Neumann
Jun 23, 2015, 12:56:39 PM6/23/15
to aolserv...@lists.sourceforge.net
> I’m not up-to-date on proper configurations.
Just as a reference: with the ciphers and Protocol from
NaviServer's nsssl [1]
one can get an A+ rating from SSL Labs [2]. One should also get decent
ratings with these configuration values from AOLserver.
-g
[1] https://bitbucket.org/naviserver/nsssl/
[2] https://www.ssllabs.com/ssltest/analyze.html?d=next-scripting.org
Am 23.06.15 um 18:11 schrieb Scott Goodwin:
one can get an A+ rating from SSL Labs [2]. One should also get decent
ratings with these configuration values from AOLserver.
-g
[1] https://bitbucket.org/naviserver/nsssl/
[2] https://www.ssllabs.com/ssltest/analyze.html?d=next-scripting.org
Am 23.06.15 um 18:11 schrieb Scott Goodwin:
By the way, ignore my CipherSuite line in there — you obviously don’t want SSLv2, +LOW, +MEDIUM and other components - you’ll likely just want the TLS v1.2 ciphers, which are listed here:
Not sure what the CipherSuite string should look like to support that, but if I have time this week I’ll see if I can figure it out. Be aware that restricting to just TLS 1.2 may cause some older browsers to not work with your site, but I haven’t done hands-on work in this area in years, so
Reply all
Reply to author
Forward
0 new messages