Opened at 2015-02-12T04:07:35Z
Last modified at 2020-01-20T20:54:52Z
#2385 new enhancement
node web server should use DHE/ECDHE suites automatically
| Reported by: | j3i | Owned by: | j3i |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.10.0 |
| Keywords: | security websec https forward-secrecy twisted | Cc: | |
| Launchpad Bug: |
Description
Right now you have to manually generate Diffie-Hellman parameters and define them in the config if you want to use a node's web server via TLS and not be restricted to plain RSA authentication like this:
web.port = ssl:443:privateKey=key.pem:certKey=cert.pem:dhParameters=params.pem
The DH parameters should be provided automatically and cipher suites with PFS should work out of the box.
Change History (5)
comment:1 Changed at 2015-04-12T21:53:49Z by daira
- Keywords security websec https added
- Priority changed from normal to major
comment:2 Changed at 2015-04-12T21:59:17Z by daira
- Keywords forward-secrecy twisted added
comment:3 Changed at 2015-04-12T22:00:46Z by daira
To see which version of Twisted is being used by Tahoe, run tahoe --version-and-path.
comment:4 Changed at 2015-04-12T22:02:07Z by daira
- Owner set to j3i
comment:5 Changed at 2020-01-20T20:54:52Z by exarkun
It is indeed supported by Twisted but you still have to generate and supply your own dh params if you want to use DHE/ECDHE.
I'm not quite sure what the workflow for having Tahoe-LAFS generate these automatically should be, though.
More recent Twisted supports ECDHE out-of-the-box, although I haven't checked whether there is anything preventing Tahoe from using it. Please check with Twisted 15.0.0 and report back whether this works now. (If you don't want to install Twisted 15 globally, you can edit the dependency in src/allmydata/_auto_deps.py to "Twisted >= 15.0.0" and rebuild.)