Forum

Configuring a cipher preference list

Voight Kampff
10 November 2013, 13:55
First of all thank you for developing Hiawatha. I'm relatively new to webservers, but it's nice finding out one which has set out security as a priority.

I know this has been asked before
http://www.hiawatha-webserver.org/forum/topic/1220
http://www.hiawatha-webserver.org/forum/topic/1436

But so far there is no configuration possibility yet.
Both Apache and nginx allow the webserver admin to configure the cipher suite order.
Is there any reason for not allowing that in Hiawatha?

I have forced TLS 1.2 but this is the agreed cipher between Hiawatha and Firefox: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Now I'm new to this, but from what I read on some sites:
hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
blog.cloudflare.com/staying-on-top-of-tls-attacks

Among other things one should:
1) stop using RC4
2) disable CBC-based ciphers
3) prefer GCM

Furthermore, even if I misunderstood something and the above is not always entirely true, is there any reason for not using be best possible cipher?
ECDH+AESGCM
But it would be even better if I could configure a preference list:
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS


Thank you.

PS:
Is there any website or mail subscription, where I can keep track of the latest security problems and fixes on these cogs of the web (Hiawatha, OpenSSL, CGI, PHP, CMSs) ?
Reading about a security problem one week or even one day latter, may be too late already.

PS2:
"message seen as spam"
Maybe add a captcha?


Hugo Leisink
16 November 2013, 22:43
The reason for not offering such configuration is because I believe the current cipher order is Hiawatha is just fine and not many people know what it all means. There is no need to adjust it. ECDH+AES,GCM is prefered, but the client needs of course to support it as well.

But if you really want to change it, edit src/ssl.c.
This topic has been closed.