Estou tentando configurar minha máquina Debian com mod_gnutls
implementation (para SNI), para obter os melhores resultados possíveis em TLSv1.0/1.1/1.2
(desconsiderando SSL2 e SSL3)
No entanto, parece-me que não é possível usar ECDHE-ECDSA
/ ECDHE-RSA
em mod_gnutls
, quando é possível com gnutls-cli
+ECDHE-RSA:+ECDHE-ECDSA
in GnuTLSPriorities
aciona o erro Syntax error parsing priorities string at ...
Minha linha de configuração atual:
GnuTLSPriorities NONE:+SHA512:+SHA384:+SHA256:+DHE-RSA:+DHE-PSK:
+DHE-DSS:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:
+VERS-TLS1.1:+VERS-TLS1.0:+COMP-NULL:+SHA1:+SIGN-ALL
Onde saída de nmap
> nmap --script ssl-enum-ciphers -p 443 www.mydomain.tld
Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-27 00:55 CET
Nmap scan report for www.mydomain.tld (46.249.37.143)
Host is up (0.046s latency).
rDNS record for 46.249.37.143: lampicka.cz
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| compressors:
| NULL
E saída de gnutls-cli
, quando for dada configuração adicional +ECDHE-RSA:+ECDHE-ECDSA
> gnutls-cli -l --priority "NONE:+SHA512:+SHA384:+SHA256:+DHE-RSA:+DHE-PSK:+DHE-DSS:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+COMP-NULL:+SHA1:+SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA"
Cipher suites for NONE:+SHA512:+SHA384:+SHA256:+DHE-RSA:+DHE-PSK:+DHE-DSS:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+COMP-NULL:+SHA1:+SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0
TLS_DHE_PSK_AES_256_CBC_SHA384 0x00, 0xb3 TLS1.0
TLS_DHE_PSK_AES_256_CBC_SHA1 0x00, 0x91 SSL3.0
TLS_DHE_PSK_AES_128_CBC_SHA256 0x00, 0xb2 TLS1.0
TLS_DHE_PSK_AES_128_CBC_SHA1 0x00, 0x90 SSL3.0
TLS_DHE_PSK_3DES_EDE_CBC_SHA1 0x00, 0x8f SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0
TLS_ECDHE_RSA_AES_256_CBC_SHA384 0xc0, 0x28 TLS1.0
TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 SSL3.0
TLS_ECDHE_RSA_AES_128_CBC_SHA256 0xc0, 0x27 TLS1.0
TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 SSL3.0
TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x12 SSL3.0
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.0
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a SSL3.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 0xc0, 0x23 TLS1.0
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 SSL3.0
TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 0xc0, 0x08 SSL3.0
Certificate types: none
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0
Compression: COMP-NULL
Elliptic curves: none
PK-signatures: SIGN-RSA-SHA256, SIGN-DSA-SHA256, SIGN-ECDSA-SHA256, SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512, SIGN-RSA-SHA224, SIGN-DSA-SHA224, SIGN-ECDSA-SHA224, SIGN-RSA-SHA1, SIGN-DSA-SHA1, SIGN-ECDSA-SHA1
Minhas versões de software são:
- libapache2-mod-gnutls
- apache2
- gnutls-bin