SECURITY: The HTTP Unix daemon now uses a much more secure set of ciphers as default. #97
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…hers as default. The goal is to make setting up secure HTTPS servers easy for users. With the new default, you obtain grade A at ssllabs.com for your servers, whereas you previously obtained only F. Future SWI-Prolog versions will likewise enable default ciphers that are deemed secure at the time of the respective release, and at the same time ensure compatibility with all but the most exotic or outdated devices. Note that obsolete ciphers *must* be disabled to reliably prevent protocol downgrade attacks.
|
Thanks. I've moved things around a little such that it is also used by more low-level APIs and the cipher predicate is public so it can be inspected and documented. Rebuilding the US server ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal is to make setting up secure HTTPS servers easy for
users. With the new default, you obtain grade A at ssllabs.com for
your servers, whereas you previously obtained only F.
Future SWI-Prolog versions will likewise enable default ciphers that
are deemed secure at the time of the respective release, and at the
same time ensure compatibility with all but the most exotic or
outdated devices.
Note that obsolete ciphers must be disabled to reliably prevent
protocol downgrade attacks.