How to use TLS with PFS for a node's web server

Jakob jei at mailbox.org
Wed Feb 11 22:09:21 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

a few days ago I set up my first Tahoe-LAFS node. One thing I wanted is
run the web server over TLS, which is explained a bit here:
https://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/configuration.rst#overall-node-configuration

It requires the user to supply a "strports string", and it also has an
example of how to provide a private key and a certificate to get TLS
working. This works well, but the cipher suite offered by the web server
will use plain RSA, and as such will not provide perfect forward
secrecy. It will also only offer TLS version 1.0.

I was able to solve the cipher suite problem after looking more into
an error traceback I got when trying out an invalid input for the
strports string. While the page currently linked by the Tahoe wiki only
tells you about the options privateKey and certKey for the Twisted ssl
endpoint, there are several other as you can see here:
https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#_parseSSL

After generating Diffie-Hellman parameters with OpenSSL, I used the
dhParameters option to tell Twisted to use them, and now the web server
also works with DHE cipher suites that support PFS. The line in my
tahoe.cfg file now looks similar to this:
web.port =
ssl:443:privateKey=key.pem:certKey=cert.pem:dhParameters=params.pem

Kind regards,
Jakob

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJU29MQAAoJEDbyEt0Eh6dJDlIP/2nvBRisE07VrIRkCCUOhbC5
bvIQK1FCE3QG3hnMQzmnVyqwlbxXqCJiMsSAC84dutifXvQY2P0xWBEip22ubmsV
x/5roOkRCikFuuftcKVogHuv6YZBel2LV8LQCdn9rf/BjXA5yfzMKHmrR/SAUt+V
uS3hOBfT/L96kqXatgCABDsOjDbwMSSyPO7I9w1mfN0tjEWJB9kuPwmPZ4gLmFOr
7uKfc22BXjTsEEbozVbdm2RMgc/+3wQTzLFWCaA9TLk/+0Dzo6Y3tP1evXYjudk9
wTIHaVyLOzhgW1L4onbhDwMLvNwsawWVDSXtfPfpm0j2FIo2icDBGT5V55RwG3DA
sTBC70PaIc5CXKLNF/vK97VZE86GAVQGHVsdkxBhD+Ji0T3NQf3riog6uPO75+Px
7HiL1ZtY+QWHEIF95Jw2se+LfhB48bF4tZtGoW/zcfd+h2g/Yq+QgBNzyFyxmpHU
NuBGaemRAV4JGopj0jI+zMb+FW/3jMGinosk//an01PZiJywcXXZAFcHOtT7OChj
p9wOlgQPpkm9dfyPlE/efbYbe7i9XxBLb6Z0TC0rLKSzTUQNuworTf6K8vqL/g+1
mohFYqlbkIDfraot9v7Pe/5WM0GHm6slpn9RzGM8pWlBjChrkzvSRa0WtUPIapsO
G9rc1YH1F+U8JIq9Gdp+
=v4oi
-----END PGP SIGNATURE-----

More information about the tahoe-dev mailing list