tls ssllabs rating

Steps required to get 'A' rating at SSLLABS

Build tls from source with current ssl version

2016-09-12: Build package tls1.6.7 tls1.6.7 from source with current ssl version, unpack to /x/tls1.6.7

  • openssl-1.1.0 is now incompatible with tls, last working version is openssl-1.0.2g
  • libressl-2.4.2
  • unpack to /x/libressl-2.4.2
  • in /x/tcl1.6.7: ./configure --with-ssl-dir=/x/libressl-2.4.2 -with-tcl=/opt/tcl8.6.6/unix --with-tcl-include=/opt/tcl8.6.6/generic
  • make is ok, make test gives runtime-error SSLv2_method not found
  • workaround: set compiler directive #define NO_SSL2 or #define NO_PATENTS in tlsInt.h
  • using default file names from Let's Encrypt e.g. in file httpd.tcl of tclhttpd3.5.1 web server insert the lines
set dir /x/tls1.6.7
source [file join $dir pkgIndex.tcl]
package require tls
set ciphers [tls::ciphers tls1.2]
# avoid RC4 attack
set tmp [lsearch -all -inline -not $ciphers *RC4*]
# only Diffie-Hellman for forward secrecy
set ciphers [lsearch -all -inline $tmp *DHE*] 
tls::init -server 1 -request 0 -require 0 -tls1 0 -tls 1.1 0 -tls1.2 1 \
   -cafile /etc/letsencrypt/live/<taipudex.com>/fullchain.pem \
   -certfile .../cert.pem \
   -keyfile  .../key.pem \
   -ciphers $ciphers
Httpd_SecureServer $CONFIG(https_port) $CONFIG(https_host) $CONFIG(https_ipaddr)

Notice: some codelines in tls.c may be obsolete now, as options concerning ssl2, ssl3, compression named SSL_OP_NO_.. in file openssl/ssl.h are deprecated by definition.

Platform information parray tcl_platform

tcl_platform(byteOrder)     = littleEndian
tcl_platform(engine)        = Tcl
tcl_platform(machine)       = i686
tcl_platform(os)            = Linux
tcl_platform(osVersion)     = 3.16.0-4-686-pae
tcl_platform(pathSeparator) = :
tcl_platform(platform)      = unix
tcl_platform(pointerSize)   = 4
tcl_platform(threaded)      = 1
tcl_platform(user)          = fr
tcl_platform(wordSize)      = 4
Category CryptographyCategory TclHttpdCategory Security
Updated 2020-11-20 17:32:05