AnsweredAssumed Answered

Best practice advise needed combining PFS, openssl/gnutls

Question asked by Kai Kretschmann on Jul 30, 2013

Since the web is full of myth-type hints about what to configure for openssl I'm really in need for some fundamental valid howtos.

I tried several combinations for a current debian 7.1 installation using either openssl or gnutls and always there are some glitches:


1) gnutls doesn't seem to work with curl clients. So this path seems unsuitable for now.


2) openssl, I do have to have a PFS (perfect forward secrecy) for the web server. Every time I seem to get it running I also get a beast attack warning.


Is it not possible for a ready-to-go debian installation to get both things: a pfs support and a protection from beast attacks?

Any serious help is welcome. I might even compile openssl myself if needed for some bleeding edge up2date versions.



Current version informations:


root@cloud:~# cat /etc/debian_version



root@cloud:~# openssl version

OpenSSL 1.0.1e 11 Feb 2013


root@cloud:~# openssl ciphers -v

<long result truncated>