Open bigben93 opened 10 months ago
I tested default settings of lua-http server with testssl command. The worst problems:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 h2, http/1.1 (offered)
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 h2, http/1.1 (offered)
and
Testing vulnerabilities [...] Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat [...]
To fix these problems HTTPS server must be run with additional TLS flags: OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_RENEGOTIATION.
I think it would be a good idea to provide better security "out of the box".
See https://github.com/daurnimator/lua-http/pull/217
daurnimator
commented
10 months ago daurnimator
commented
10 months ago
I tested default settings of lua-http server with testssl command. The worst problems:
and
To fix these problems HTTPS server must be run with additional TLS flags: OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_RENEGOTIATION.
I think it would be a good idea to provide better security "out of the box".