Anti-spam team, Confirmed users
99
edits
Security/Server Side TLS: Difference between revisions
Update certificate lifespans
m (Update to 5.3, point to ssl-config.mozilla.org) |
(Update certificate lifespans) |
||
| Line 85: | Line 85: | ||
* TLS curves: '''X25519, prime256v1, secp384r1''' | * TLS curves: '''X25519, prime256v1, secp384r1''' | ||
* HSTS: '''max-age=63072000''' (two years) | * HSTS: '''max-age=63072000''' (two years) | ||
* | * Certificate lifespan: '''90 days''' | ||
* Cipher preference: '''client chooses''' | * Cipher preference: '''client chooses''' | ||
| Line 97: | Line 97: | ||
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated] | ** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated] | ||
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES | ** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES | ||
** We recommend ECDSA certificates using P-256, as P-384 provides | ** We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported | ||
== <span style="color:orange;">'''Intermediate'''</span> compatibility (recommended) == | == <span style="color:orange;">'''Intermediate'''</span> compatibility (recommended) == | ||
| Line 109: | Line 109: | ||
* DH parameter size: '''2048''' (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919]) | * DH parameter size: '''2048''' (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919]) | ||
* HSTS: '''max-age=63072000''' (two years) | * HSTS: '''max-age=63072000''' (two years) | ||
* | * Certificate lifespan: '''90 days''' (recommended) to '''366 days''' | ||
* Cipher preference: '''client chooses''' | * Cipher preference: '''client chooses''' | ||
| Line 148: | Line 148: | ||
* DH parameter size: '''1024''' (generated with <tt>openssl dhparam 1024</tt>) | * DH parameter size: '''1024''' (generated with <tt>openssl dhparam 1024</tt>) | ||
* HSTS: '''max-age=63072000''' (two years) | * HSTS: '''max-age=63072000''' (two years) | ||
* | * Certificate lifespan: '''90 days''' (recommended) to '''366 days''' | ||
* Cipher preference: '''server chooses''' | * Cipher preference: '''server chooses''' | ||
| Line 202: | Line 202: | ||
! Editor | ! Editor | ||
! Changes | ! Changes | ||
|- | |||
| style="text-align: center;" | 5.5 | |||
| style="text-align: center;" | April King | |||
| Update certificate lifespan to reflect browser policy changes | |||
|- | |- | ||
| style="text-align: center;" | 5.3 | | style="text-align: center;" | 5.3 | ||