Help on setting up encrypted OpenSSL TLS/SSL connections

[seiichi-yoshimune]

Is your feature request related to a problem? Please describe. Setting up some client side mitigation, adjusting static_file_headers is easily done with:

"static_file_headers":  [
  {"name": "X-Content-Type-Options", "value":"nosniff"},
  {"name":"X-Frame-Options", "value":"DENY"},
  {"name":"Content-Security-Policy", "value":"default-src https: *.example.com data: 'unsafe-eval' ws: ; style-src https: 'unsafe-inline'; script-src https: *.example.com api.trusted-third-party.com 'unsafe-inline'; media-src 'none'; font-src https: *.example.com fonts.googleapis.com fonts.gstatic.com ; img-src https: *.pixyrouge.com data:"},
{"name":"Strict-Transport-Security","value":"max-age=63072000; includeSubDomains; preload"}
]

Next logical steps will be Perfect Forward Secrecy, OCSP stapling ... but here I couldn't find any hints, in the docs, loooking at source code I found trantor TcpConnectionImpl.cc but how user would extend it? or am I missing something?

Describe the solution you'd like something in the like: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

[rbugajewski]

Thanks for your feature request. It would be indeed beneficial if we could provide better security integration.

This is (in a general manner) also related to #671, but we’ll have to discuss (I would prefer IRC) which approach to take:

1. Implement security related features in the framework (crypto, hashing, OCSP, …).
2. Add a dependency to OpenSSL or another security framework.