LiberalArtist
commented
5 years ago It looks like the first step is to add support to openssl for setting the SSL_OP_CIPHER_SERVER_PREFERENCE option.
While investigating this further, most sources I'm finding about SSL/TLS configuration for servers, including the one I linked to above, ultimately point to Mozila's Server Side TLS recommendations. They maintain "Modern," "Intermediate," and "Old" recommended configurations, based on what clients your server needs to support, and update them as issues (and browsers) evolve. The recommended configurations are available as JSON, both versioned and current. I think it would be a great enhancement to integrate these configurations into Racket.
These changes need to start in the racket/racket repo, but I'll leave this open to track the issue from web-server's perspective.
jeapostrophe
rmculpepper
The SSL Labs "SSL Server Test" service (https://www.ssllabs.com/ssltest/) identifies some aspects of the Racket web server's default HTTPS configuration that should be improved. Most significantly, it says, "This server does not support Forward Secrecy with the reference browsers. Grade capped to B."
I am still looking into the situation in more detail, but I've noticed at least two differences from the configuration generated by Certbot for Apache, which SSL Labs approves of:
I'm happy to do some implementation work here, but I haven't worked with these low-level portions before. In particular, I haven't figured out how to designate preferred cypher suites with the Racket
opensslmodule.