mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
372 stars 60 forks source link

Establishing a community working group for ssl-config-generator #232

Closed gene1wood closed 8 months ago

gene1wood commented 9 months ago

I'm @gene1wood . I work in the Security Assurance team at Mozilla. I first created the SSL Config Generator in 2014 and my colleague @april rewrote it from scratch in 2019. I've been the maintainer of it since 2020, but haven't had success at getting support for dedicating more time in my day job to it. As a result, response to issues and merging of PRs has been slow.

I've proposed to Mozilla management exploring if establishing a community working group to take over maintenance of the project would work and have gotten approval for doing so.

Here's what I'm envisioning

My question to the community

This all depends on there being any community members that have an interest in contributing to the SSL Config Generator project. I think that this is the case but could be wrong. I'd like to find out if this sounds like a good idea to those folks that have already contributed to the project :

Do any of you, previous contributors, have an interest in stepping into a role as a maintainer for this project? I'm hoping that a few people would have an interest in helping out.

This would involve

Motivations that I can imagine are

JGoutin commented 9 months ago

Hello,

I am interested in maintaining this project.

gstrauss commented 9 months ago

I am also interested in being one of the maintainers of this project. (The more qualified contributors, the merrier. :smile: )

janbrasna commented 9 months ago

I'd also like to kindly loop in @tomato42, @jvehent or @rgacogne who authored the foundations back in the day when this was part of @mozilla/server-side-tls as their TLS knowledge could be very beneficial for reviewing any upcoming changes, or the direction towards the future of the config generator and/or the recommendation JSONs it's based upon.

There are others who've engaged with the project in the past as @szepeviktor, @thestinger or @polarathene who might not have added any actual lines of code to the configs, but have shown great understanding of the real world interoperability (in tricky domains as mailservers — that honestly need some serious improvement here) which is also needed to keep the configs relevant in 2024 and on…

polarathene commented 9 months ago

TL;DR: Thanks for the ping ❤️ While I can't afford to take on new commitments, I have shared some insights below that might assist future maintainers 👍


or @polarathene who might not have added any actual lines of code to the configs

At a glance, my engagement within the projects was fairly low:

mozilla/server-side-tls does have two comments with plenty of reference links cited for cipher suite compatibility. Not sure if they're that useful in 2024+ though 🤷‍♂️


At the time I was doing quite a bit of research to extensively document cipher suite compatibility and an appropriate selection for securing mail servers with (since client/server support lags behind browsers). I never found time to complete the document and publish it, but was quite close to completion IIRC. I shared a portion of it following this Dovecot/Postfix config audit comment.

I still have that WIP document on disk but it'd be a little out of date since it's been untouched for over 3 years 😓


needed to keep the configs relevant in 2024 and on…

I don't have much insights on what the current state of TLS is like, but imagine many connections are TLS 1.3 these days or capable of using AEAD ciphers from TLS 1.2?

Apart from accommodating changes like those I mentioned above, it'd be interesting to know more context for the client connections that need broader cipher support. They tend to be devices or deployments that cannot be easily updated but still relied upon, yet often within the context that they could probably leverage a proxy to mediate a secure connection for their server/client rather than lowering than lowering security on the other end.

That is a different context than what was traditionally a concern with servers needing to support a wider demographic of clients. The latter, especially with web browsers becomes less relevant as their CA trust store expires (as has been the case for smart TV products around a decade old), more so when the user cannot update that to verify certificate trust.


On the topic of TLS certificates and context:


you care about ensuring that good web security is accessible to everyone, including those not technically savvy enough to determine the most secure configuration for their server

I do, and have invested a significant amount of time towards being informed so others do not need to worry about such as much 👍

Do any of you, previous contributors, have an interest in stepping into a role as a maintainer for this project

Despite my interest in security I unfortunately need to avoid taking on any new commitments.

IAmATeaPot418 commented 9 months ago

I would love to help out maintaining this as well!

IceCodeNew commented 9 months ago

I am also interested in being one of the maintainers of this project.

gene1wood commented 8 months ago

@JGoutin @gstrauss @janbrasna @IAmATeaPot418 @IceCodeNew Thank you for speaking up!

Jérémy, Glenn, Jamie, I'll email you directly, see if we can coordinate a time to chat/video conference and meet each other, chat about a plan.

@IceCodeNew and @janbrasna, would you email me with your preferred email address and your full name so we can start the conversation? You can reach me at gene at mozilla.com

I'll close this issue for the time being, but may open it later if we want to look for additional folks who are interested.

I'll also make sure to comment here and to update the repo documentation with the maintainer plan once we have it.

gene1wood commented 7 months ago

@janbrasna I still need you to email me. Would you do so? gene at mozilla.com

janbrasna commented 7 months ago

@gene1wood Did so a week ago, trying again now. Maybe look around your filtered folders for my username. Also made my contact details visible to staff in dinopark, you can look me up by my username. Or just send an email to my username at gmail…

gstrauss commented 6 months ago

@gene1wood would you please briefly update on status? Thanks.

gstrauss commented 5 months ago

@gene1wood would you please briefly update on status? Thanks.

gstrauss commented 3 months ago

@gene1wood would you please briefly update on status? Thanks.

Is there anything we can do to help make some progress?

gstrauss commented 1 month ago

@gene1wood would you please briefly update on status? Thanks.

Is there anything we can do to help make some progress? It has been over 7 months (!) since this issue was opened.

gene1wood commented 1 month ago

I've sent out an email with a poll to pick which day/time works best for an initial video call.

IceCodeNew commented 1 week ago

I've sent out an email with a poll to pick which day/time works best for an initial video call.

Hi there, I hope this message finds you well. I wanted to mention that I didn't receive that email. Could you please reply to the email address I initially used to contact you? I really appreciate it ;-)

@gene1wood

janbrasna commented 1 week ago

We have our monthly meeting later today (Tue Nov 5, 7:00pm GMT) so if you ping me at my username at gmail I'll forward you the event details, @IceCodeNew. This is also an open invitation to others as @polarathene or @szepeviktor et al. if you're just interested in joining the video call to add an expert voice (no obligations or commitment, feel free to come say hi or just follow what we're up to if you fancy), today's topics will mostly revolve around whether in officially supporting OpenSSL 3.x that brought back FFDH for TLSv1.3 we should start restricting RFC7919 curves (=groups) again etc., specifically filtering out ffdhe* codepoints completely (or just listing the lower bits as a fallback if need be) — if you wanna chime in just drop me a note. Thanks!

gene1wood commented 1 week ago

@IceCodeNew Ya, sorry I meant to follow up but forgot, my fault.

I opted to set Jan, Glenn and Jamie as the members of the working group that would own the project.

As Jan says, input at the meeting today is most welcome though.