libmicrohttpd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] Configuring ciphers


From: Erik Smith
Subject: Re: [libmicrohttpd] Configuring ciphers
Date: Mon, 21 Jun 2021 13:24:59 -0700

Thanks!  I went with the string "NORMAL:-VERS-SSL3.0".  I'm not yet building gnuTLS and we're instead relying on the gnuTLS version (3.3.29) in RHEL 7.8 which apparently is not recent enough to have it disabled.

On Sat, Jun 19, 2021 at 10:42 AM Evgeny Grin <k2k@yandex.ru> wrote:
Hello Erik,

MHD generally relies on GnuTLS for handling everything related to TLS
(and SSL). All recent versions of GnuTLS have SSL3.0 disabled by
default, so you don't need to do anything to disable SSL3.0 (as it is
already disabled).

However you can provide your own ciphers preferences by
MHD_OPTION_HTTPS_PRIORITIES. Provided value will be used with
gnutls_priority_init().
See https://gnutls.org/manual/html_node/Priority-Strings.html for details.

--
Wishes,
Evgeny

On 19.06.2021 17:46, Erik Smith wrote:
> The security folks flagged our server for accepting SSL 3.0 ciphers that
> it shouldn't.  I'm not sure about the proper way to configure this for
> MHD.   I thought I saw a function at one pont that passes config info to
> gnuTLS but I can't find it.   This is how operations configures
> NGINIX to solve the problem:
>
> ssl_protocols TLSv1.2;
> ssl_prefer_server_ciphers on;
> ssl_ciphers
> "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256+AESGCM:!MD5";
>
>


reply via email to

[Prev in Thread] Current Thread [Next in Thread]