|
| From: | Evgeny Grin |
| Subject: | Re: [libmicrohttpd] Configuring ciphers |
| Date: | Sat, 19 Jun 2021 20:42:29 +0300 |
| User-agent: | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
Hello Erik,MHD generally relies on GnuTLS for handling everything related to TLS (and SSL). All recent versions of GnuTLS have SSL3.0 disabled by default, so you don't need to do anything to disable SSL3.0 (as it is already disabled).
However you can provide your own ciphers preferences by MHD_OPTION_HTTPS_PRIORITIES. Provided value will be used with gnutls_priority_init().
See https://gnutls.org/manual/html_node/Priority-Strings.html for details. -- Wishes, Evgeny On 19.06.2021 17:46, Erik Smith wrote:
The security folks flagged our server for accepting SSL 3.0 ciphers that it shouldn't. I'm not sure about the proper way to configure this for MHD. I thought I saw a function at one pont that passes config info to gnuTLS but I can't find it. This is how operations configures NGINIX to solve the problem:ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+AESGCM:!MD5";
| [Prev in Thread] | Current Thread | [Next in Thread] |