Steps required to get 'A' rating at SSLLABS
Build tls from source with current ssl version
2016-09-12: Build package
tls1.6.7tls1.6.7 from source with current ssl version, unpack to /x/tls1.6.7
- openssl-1.1.0is now incompatible with tls, last working version is openssl-1.0.2g
- libressl-2.4.2
- unpack to /x/libressl-2.4.2
- in /x/tcl1.6.7: ./configure --with-ssl-dir=/x/libressl-2.4.2 -with-tcl=/opt/tcl8.6.6/unix --with-tcl-include=/opt/tcl8.6.6/generic
- make is ok, make test gives runtime-error SSLv2_method not found
- workaround: set compiler directive #define NO_SSL2 or #define NO_PATENTS in tlsInt.h
- using default file names from Let's Encrypt e.g. in file httpd.tcl of tclhttpd3.5.1 web server insert the lines
set dir /x/tls1.6.7
source [file join $dir pkgIndex.tcl]
package require tls
set ciphers [tls::ciphers tls1.2]
# avoid RC4 attack
set tmp [lsearch -all -inline -not $ciphers *RC4*]
# only Diffie-Hellman for forward secrecy
set ciphers [lsearch -all $tmp *DHE*]
tls::init -server 1 -request 0 -require 0 -tls1 0 -tls 1.1 0 -tls1.2 1 \
-cafile /etc/letsencrypt/live/<taipudex.com>/fullchain.pem \
-certfile .../cert.pem \
-keyfile .../key.pem \
-ciphers $ciphers
Httpd_SecureServer $CONFIG(https_port) $CONFIG(https_host) $CONFIG(https_ipaddr)
Notice: some codelines in tls.c may be obsolete now, as options concerning ssl2, ssl3, compression named
SSL_OP_NO_.. in file
openssl/ssl.h are deprecated by definition.
Platform information
parray tcl_platformtcl_platform(byteOrder) = littleEndian
tcl_platform(engine) = Tcl
tcl_platform(machine) = i686
tcl_platform(os) = Linux
tcl_platform(osVersion) = 3.16.0-4-686-pae
tcl_platform(pathSeparator) = :
tcl_platform(platform) = unix
tcl_platform(pointerSize) = 4
tcl_platform(threaded) = 1
tcl_platform(user) = fr
tcl_platform(wordSize) = 4
