Opened at 2015-02-12T04:07:35Z
Last modified at 2020-01-20T20:54:52Z
#2385 new enhancement
node web server should use DHE/ECDHE suites automatically
| Reported by: | j3i | Owned by: | j3i |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.10.0 |
| Keywords: | security websec https forward-secrecy twisted | Cc: | |
| Launchpad Bug: |
Description
Right now you have to manually generate Diffie-Hellman parameters and define them in the config if you want to use a node's web server via TLS and not be restricted to plain RSA authentication like this:
web.port = ssl:443:privateKey=key.pem:certKey=cert.pem:dhParameters=params.pem
The DH parameters should be provided automatically and cipher suites with PFS should work out of the box.
Change History (5)
comment:1 Changed at 2015-04-12T21:53:49Z by daira
- Keywords security websec https added
- Priority changed from normal to major
comment:2 Changed at 2015-04-12T21:59:17Z by daira
- Keywords forward-secrecy twisted added
comment:3 Changed at 2015-04-12T22:00:46Z by daira
To see which version of Twisted is being used by Tahoe, run tahoe --version-and-path.
comment:4 Changed at 2015-04-12T22:02:07Z by daira
- Owner set to j3i
comment:5 Changed at 2020-01-20T20:54:52Z by exarkun
It is indeed supported by Twisted but you still have to generate and supply your own dh params if you want to use DHE/ECDHE.
I'm not quite sure what the workflow for having Tahoe-LAFS generate these automatically should be, though.
More recent Twisted supports ECDHE out-of-the-box, although I haven't checked whether there is anything preventing Tahoe from using it. Please check with Twisted 15.0.0 and report back whether this works now, without the :dhParameters=params.pem. (If you don't want to install Twisted 15 globally, you can edit the dependency in src/allmydata/_auto_deps.py to "Twisted >= 15.0.0" and rebuild.)