Skip to content

New default TLS options #216

New issue
New issue
Open
#217
Open
New default TLS options#216
#217
@bigben93

Description

@bigben93
bigben93
opened on Aug 23, 2023 · edited by bigben93

I tested default settings of lua-http server with testssl command.
The worst problems:

Testing protocols via sockets except NPN+ALPN

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)

and

Testing vulnerabilities
[...]
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
[...]

To fix these problems HTTPS server must be run with additional TLS flags: OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_RENEGOTIATION.

I think it would be a good idea to provide better security "out of the box".

Activity

daurnimator
linked a pull request that will close this issue on Aug 28, 2023
daurnimator

daurnimator commented on Aug 28, 2023

@daurnimator
daurnimator
on Aug 28, 2023
Owner

See #217

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @daurnimator@bigben93

      Issue actions
        New default TLS options · Issue #216 · daurnimator/lua-http