|
Back
Midas
Rome
Roody
Rootana
|
Midas DAQ System |
Not logged in |
|
|
22 May 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
07 Jul 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
15 Jul 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
12 Aug 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
27 Aug 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
31 Aug 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
21 Aug 2015, Thomas Lindner, Info, mhttpd HTTPS/SSL server updated
|
27 Aug 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
09 Sep 2015, Thomas Lindner, Info, mhttpd HTTPS/SSL server updated
|
11 Sep 2015, Konstantin Olchanski, Info, mhttpd HTTPS/SSL server updated
|
|
Message ID: 1062
Entry time: 22 May 2015
Reply to this: 1066
1100
|
Author: |
Konstantin Olchanski |
Topic: |
Info |
Subject: |
mhttpd HTTPS/SSL server updated |
|
|
I updated the mhttpd HTTPS/SSL server (mongoose) and https://www.ssllabs.com/ssltest/index.html is
now more or less happy with it. google chrome connects using "modern cryptography".
The HTTPS/SSL server is activated using "mhttpd --mg" (instead of -p) and it listens on port 8443.
The example SSL certificate provided in midas git is self-signed, for instructions on generating your own
signed certificate, remove it and run "mhttpd --mg" - it will print the correct instructions.
List of corrected problems:
a) SSL certificate was generated with key length 1024 and SHA1 signature - should be 2048 and SHA256.
b) SSLv2, SSLv3 were not disabled per latest recommendations
c) RC4 and other weak ciphers were not disabled per latest recommendations
d) "modern cryptography" and "forward secrecy" were not available because they require special fondling of
openssl.
e) on MacOS 10.9 *again* a whole bunch of openssl functions are listed as deprecated with no suggested
replacement, there is a mismatch between system openssl and macports openssl and "modern
cryptography" ECDH ciphers are not available.
Also to remember, mhttpd uses the latest release of mongoose 4.2 which is no longer supported by
author. Latest version of mongoose is 5.x which has a severely improved API, but removed automatic
multithreading.
I recommend that you use "mhttpd --mg" as the alternative for running "mhttpd -p" behind an apache
proxy. Using "mhttpd -p" (no HTTPS/SSL) on an internet-connected machine is insecure and should not be
done. (private network such as 192.168.x.y addresses is okey for now, I guess).
https://bitbucket.org/tmidas/midas/commits/d85ba733573f1fca9946804eeb71d6fdc23bea22
K.O. |