Mojolicious(hypnotoad) - enforce TLS v1.2

About

Asked 28/5, 2019 at 10:52 Answered 28/5, 2019 at 12:6

Solved perl ssl tls1.2 mojolicious hypnotoad

How to enforce Mojolicious(hypnotoad) app to use TLS v1.2?

mojo version output:

CORE
  Perl        (v5.16.3, linux)
  Mojolicious (8.0, Supervillain)

OPTIONAL
  Cpanel::JSON::XS 4.04+  (n/a)
  EV 4.0+                 (4.22)
  IO::Socket::Socks 0.64+ (n/a)
  IO::Socket::SSL 2.009+  (2.060)
  Net::DNS::Native 0.15+  (n/a)
  Role::Tiny 2.000001+    (2.000005)

hypnotoad conf:

{
     hypnotoad => {
         listen => ['https://myserver.domain.com:xxxx?cert=/path/to/cert/file.cer&key=/path/to/key/file.key'],
     }
}

This is how I start hypnotoad:

hypnotoad -f script/apps

I have updated the IO::Socket::SSL module as suggested somewhere. It din't work.

Much appreciate any guidance.

Tricot answered 28/5, 2019 at 10:52 Comment(0)

Configure version with value TLSv1_2, e.g. in my_app.conf

{
    secrets => ['………'],
    hypnotoad => {
        listen  => ['https://localhost:8443?cert=server_cert.pem&key=server_key.pem&version=TLSv1_2'],
    }
}

Test with curl -k -v https://localhost:8443. Daemon will serve 1.3 by default, but use 1.2 when forced to do so.

Southeaster answered 28/5, 2019 at 12:6 Comment(4)

I have enabled the TLSv1.2 but how do I disable TLSv1.0 and TLSv1.1? Looks like setting MOJO_NO_TLS ENV variable totally disable TLS. Also is there a way to disable following: ssl-3des-ciphers and ssl-static-key-ciphers? I did look into Mojo::Server::Hypnotoad and [Mojo::Server::Daemonhttps://metacpan.org/pod/Mojo::Server::Daemon]() but din't find answer. – Tricot 29/5, 2019 at 6:32

This quickly turns into "how do I configure OpenSSL/IO::Socket::SSL". Read SSL_version in IO::Socket::SSL and man ciphers. Configuring TLSv1_2 already disables anything but 1.2. You can check with openssl s_client -tls1_1 -connect localhost:8443. – Southeaster 29/5, 2019 at 10:42

The configuration item is ciphers in Mojo::Server::Daemon, you didn't look carefully enough. Use mozilla.github.io/server-side-tls/ssl-config-generator to find a recommended cipher string, I checked the "modern" profile and it does not contain 3DES nor static key cipher suites. Open a new question if you don't understand. – Southeaster 29/5, 2019 at 10:42

Thanks again @Southeaster for the help. I understood. Fixed the issues. – Tricot 30/5, 2019 at 4:22

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags