How to use TLS with PFS for a node's web server

Jakob jei at mailbox.org
Wed Feb 11 23:43:36 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I think it is to be expected that the user has to provide a
Diffie-Hellman parameters (she also has to provide a TLS certificate,
after all). However, I think the documentation should mention that it
is needed and how it should be provided. And by documentation I mean:
https://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/configuration.rst
Because it is the document that describes how to provide certificates
and activate TLS.

Another thing I found out is that the sslmethod parameter that is
described on the page I previously already linked accepts some
additional parameters that aren't listed there:
https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#_parseSSL

The parameter I'm now using for sslmethod is TLSv1_2_METHOD and now
the connection uses TLS version 1.2 instead 1.0 and I also get an A
instead of a B on the Qualys SSL Labs test. To get this method working
on OS X I had to reinstall pyOpenSSL with an up-to-date version of
OpenSSL that I installed with Homebrew. The OpenSSL that is
distributed with OS X only gets security updates for a long time now,
and as such only supports TLS 1.0. I hope that's helpful to anyone who
also has to use OS X.

Kind regards,
Jakob
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJU2+koAAoJEDbyEt0Eh6dJuGEQAKrwHJiBGSzKIvSA21lkSqzB
iwLcWMmK6MnQwo26XzxRrBcNqI9vmVYiasbW/9vMmD5T/wrEn63MsY+OKAviGw94
rF1F+BE+SzXcj5xygG9XDRiLAOOQjlSlhsait0IcB74rVtfAOtCrI0jtk/eMNxy5
hNSpQ9CVHcBcSSkc7C2RVcPhxyG/oJauuy4wEhbJvq0uFHK3lU4ezD9JrlqNoQZk
7lqxLWUZcPrP/5IYP9jw2XOvxuyy9zmX0uVyubA2emoTjp2uJrLIpNWMpvWxPLge
ZO4u+phYDVKk+XqroIzbJK0Q1t974pstfVtSyUDeRcPcNz4pKB8EHFE03Rz++dmw
T/vZdvLHnFOk7HngWvsUpDCSi8b6W/YtjuH214lKNT2O462TWjOD1kzSvXjB2ZqL
V2iVrFMPhnmHYGREGPppUrBAzsP10iGRbKFpZMHPdoE6VQzfI56oABTOGRNARZ1u
AgwdzX7zecuqygSLGXjfDCbjLfLch84s2BglYkRhe97S5AJiY2MmhpQ9q+CV2A8V
0/lZt7boTK/cVSDCQ7DGpulr7/dI4SbnYTLQH/wnMcKIEy1uW/FE711cifgmVVDf
oIi/MAKBHnQshiAsirkKyDLR6+4awrur+cEX+Pzcw8F9ycr5rurGNE/N+Fqd3nwg
yfp03YwcfvNsophVWOqK
=Gexz
-----END PGP SIGNATURE-----

More information about the tahoe-dev mailing list