Go and the Qualsys SSL Labs test
428 views
Skip to first unread message
Nick Craig-Wood
Feb 17, 2014, 10:08:13 AM2/17/14
to golang-nuts
I've been trying to configure a go ssl server and I was wondering how
secure it was so I ran a default Go (1.2) configured SSL server through
https://www.ssllabs.com/ssltest/
I was very pleased with the result of "A-" :-)
The two points of interest were
* There is no support for secure renegotiation. Grade reduced to A-
* The server does not support Forward Secrecy with the reference
browsers. Grade reduced to A-
I think the forward secrecy issue can be fixed with cipher choice, but I
don't know about the secure renegotiation.
Does anyone have any ideas? (Other than use apache/nginx/etc as a proxy)
Thanks
Nick
--
Nick Craig-Wood <ni...@craig-wood.com> -- http://www.craig-wood.com/nick
secure it was so I ran a default Go (1.2) configured SSL server through
https://www.ssllabs.com/ssltest/
I was very pleased with the result of "A-" :-)
The two points of interest were
* There is no support for secure renegotiation. Grade reduced to A-
* The server does not support Forward Secrecy with the reference
browsers. Grade reduced to A-
I think the forward secrecy issue can be fixed with cipher choice, but I
don't know about the secure renegotiation.
Does anyone have any ideas? (Other than use apache/nginx/etc as a proxy)
Thanks
Nick
--
Nick Craig-Wood <ni...@craig-wood.com> -- http://www.craig-wood.com/nick
mkob...@gmail.com
Feb 17, 2014, 1:16:29 PM2/17/14
to Nick Craig-Wood, golang-nuts
"Nick Craig-Wood"<ni...@craig-wood.com> wrote:
> I think the forward secrecy issue can be fixed with cipher choice, but I
> don't know about the secure renegotiation.
>
> Does anyone have any ideas? (Other than use apache/nginx/etc as a proxy)
It most likely looks for support for renegotiation_info extension, http://tools.ietf.org/search/rfc5746. If the TLS package doesn't support it, the next best thing is to disable renegotiation (which it most likely would be by default in that case).
> I think the forward secrecy issue can be fixed with cipher choice, but I
> don't know about the secure renegotiation.
>
> Does anyone have any ideas? (Other than use apache/nginx/etc as a proxy)
HTH,
Martin
agl
Feb 18, 2014, 1:01:05 PM2/18/14
to golan...@googlegroups.com
On Monday, February 17, 2014 10:08:13 AM UTC-5, Nick Craig-Wood wrote:
* There is no support for secure renegotiation. Grade reduced to A-
Fixed in trunk so will be in 1.3.
I think the forward secrecy issue can be fixed with cipher choice, but I
don't know about the secure renegotiation.
I think one needs multiplicative DH support in order to make SSL Labs happy about the old browsers and crypto/tls doesn't implement that. It wouldn't be too hard to do if someone is keen.
Cheers
AGL
Nick Craig-Wood
Feb 20, 2014, 6:58:16 PM2/20/14
to agl, golan...@googlegroups.com
On 18/02/14 18:01, agl wrote:
> On Monday, February 17, 2014 10:08:13 AM UTC-5, Nick Craig-Wood wrote:
>
> * There is no support for secure renegotiation. Grade reduced to A-
>
>
> Fixed in trunk so will be in 1.3.
Excellent - thank you :-)
> On Monday, February 17, 2014 10:08:13 AM UTC-5, Nick Craig-Wood wrote:
>
> * There is no support for secure renegotiation. Grade reduced to A-
>
>
> Fixed in trunk so will be in 1.3.
> I think the forward secrecy issue can be fixed with cipher choice,
> but I
> don't know about the secure renegotiation.
>
> I think one needs multiplicative DH support in order to make SSL Labs
> happy about the old browsers and crypto/tls doesn't implement that. It
> wouldn't be too hard to do if someone is keen.
browsers!
Reply all
Reply to author
Forward
0 new messages