#2385 new enhancement

node web server should use DHE/ECDHE suites automatically

Reported by: j3i Owned by: j3i
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.10.0
Keywords: security websec https forward-secrecy twisted Cc:
Launchpad Bug:

Description

Right now you have to manually generate Diffie-Hellman parameters and define them in the config if you want to use a node's web server via TLS and not be restricted to plain RSA authentication like this:

web.port = ssl:443:privateKey=key.pem:certKey=cert.pem:dhParameters=params.pem

The DH parameters should be provided automatically and cipher suites with PFS should work out of the box.

Change History (5)

comment:1 Changed at 2015-04-12T21:53:49Z by daira

  • Keywords security websec https added
  • Priority changed from normal to major

comment:2 Changed at 2015-04-12T21:59:17Z by daira

  • Keywords forward-secrecy twisted added

More recent Twisted supports ECDHE out-of-the-box, although I haven't checked whether there is anything preventing Tahoe from using it. Please check with Twisted 15.0.0 and report back whether this works now. (If you don't want to install Twisted 15 globally, you can edit the dependency in src/allmydata/_auto_deps.py to "Twisted >= 15.0.0" and rebuild.)

Version 0, edited at 2015-04-12T21:59:17Z by daira (next)

comment:3 Changed at 2015-04-12T22:00:46Z by daira

To see which version of Twisted is being used by Tahoe, run tahoe --version-and-path.

Last edited at 2015-04-12T22:01:05Z by daira (previous) (diff)

comment:4 Changed at 2015-04-12T22:02:07Z by daira

  • Owner set to j3i

comment:5 Changed at 2020-01-20T20:54:52Z by exarkun

It is indeed supported by Twisted but you still have to generate and supply your own dh params if you want to use DHE/ECDHE.

I'm not quite sure what the workflow for having Tahoe-LAFS generate these automatically should be, though.

Note: See TracTickets for help on using tickets.