Search

About me

Johannes (Hanno) Böck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA, ECDSA


Hanno on Twitter
Hanno on identi.ca

Impressum

schokokeks.org



Atheist

Twitter/identi.ca

hanno: Seen one of those scary meth victim tooth pictures? study claims lots of diet soda just as bad http://t.co/ecvy7DOcK3

hanno: gehts eigentlich nur mir so dass sich kabeld+youtube in letzter zeit oft wie drosselkom anfühlt? so mit aussetzern und so.

hanno: Vielleicht sogar von einer staatlichen Behörde

hanno: Trotzdem darf Jan Fleischauer meinen dass die Erde eine Scheibe ist, nur muss er dann halt auch mit rechnen dafür kritisiert zu werden

hanno: Hachja, der unterschied zwischen "Meinung" und "Wissenschaftliche Tatsachen" ist halt ein schwieriger

Anzeigen

Events

22.05 - 25.05 - Linuxtag
30.05 - 02.06 - GPN13 (5 Days)
04.07 - 07.07 - PQCrypto (40 Days)
05.07 - 07.07 - SIGINT (41 Days)
31.07 - 04.08 - OHM13 (67 Days)
01.10 - 02.10 - Open Access Tage (129 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

How to configure your HTTPS server

Saturday, January 19. 2013, 11:45
Yesterday, we had a meeting at CAcert Berlin where I had a little talk about how to almost-perfectly configure your HTTPS server. Motivation for that was the very nice Qualys SSL Server test, which can remote-check your SSL configuration and tell you a bunch of things about it.

While playing with that, I created a test setup which passes with 100 points in the Qualys test. However, you will hardly be able to access that page, which is mainly due to it's exclusive support for TLS 1.2. All major browsers fail. Someone from the audience told me that the iPhone browser was successfully able to access the page. To safe the reputation of free software, someone else found out that the Midori browser is also capable of accessing it. I've described what I did there on the page itself and you may also read it here via http.

Here are my slides "SSL, X.509, HTTPS - How to configure your HTTPS server" as ODP, as PDF and on Slideshare.

And some links mentioned in the slides:
Check SSL and SSH weak keys due to broken random numbers
EFF SSL Observatory
Sovereign Keys proect

Some great talks on the mentioned topics by others:
Facthacks Talk 29c3
MD5 considered harmful today - Creating a rogue CA Certificate
Is the SSLiverse a safe place?

Update: As people seem to find these browser issue interesting: It's been pointed out that the iPad Browser also works. Opera with TLS 1.2 enabled seems to work for some people, but not for me (maybe Windows-only). luakit and epiphany also work, but they don't check certificates at all, so that kind of doesn't count.
Computer culture, Cryptography, Gentoo, Linux | Comments (5) | Trackbacks (0)
Defined tags for this entry: , , , , , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

luakit manages it as well. Probably every mini-browser based on webkit-gtk does.
#1 krigstask (Link) on 2013-01-19 12:43
It's basically not the webkit part, but openssl. If a browser uses "plain" openssl without doing anything further and if openssl is on version 1.0.1, it should "just work". Simple textmode browsers like w3m and lynx also do it.
#1.1 Hanno (Link) on 2013-01-19 13:11
I can read the fancyssl page with Opera 12.12 after manually enabling TLS 1.2.
#2 Albert on 2013-01-21 17:06
Safari on iPAD can display your testing-page.
#3 Oliver on 2013-01-27 00:14
Works in Konqueror (KDE 4.9 version). The SSL info window shows TLS 1.2 being used, but the Encryption field is blank.
#4 anon on 2013-02-10 23:00

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.