5

How to enforce Mojolicious(hypnotoad) app to use TLS v1.2?

mojo version output:

CORE
  Perl        (v5.16.3, linux)
  Mojolicious (8.0, Supervillain)

OPTIONAL
  Cpanel::JSON::XS 4.04+  (n/a)
  EV 4.0+                 (4.22)
  IO::Socket::Socks 0.64+ (n/a)
  IO::Socket::SSL 2.009+  (2.060)
  Net::DNS::Native 0.15+  (n/a)
  Role::Tiny 2.000001+    (2.000005)

hypnotoad conf:

{
     hypnotoad => {
         listen => ['https://myserver.domain.com:xxxx?cert=/path/to/cert/file.cer&key=/path/to/key/file.key'],
     }
}

This is how I start hypnotoad:

hypnotoad -f script/apps

I have updated the IO::Socket::SSL module as suggested somewhere. It din't work.

Much appreciate any guidance.

Grinnz
  • 9,093
  • 11
  • 18
Sachin Dangol
  • 504
  • 5
  • 13

1 Answers1

9

Configure version with value TLSv1_2, e.g. in my_app.conf

{
    secrets => ['………'],
    hypnotoad => {
        listen  => ['https://localhost:8443?cert=server_cert.pem&key=server_key.pem&version=TLSv1_2'],
    }
}

Test with curl -k -v https://localhost:8443. Daemon will serve 1.3 by default, but use 1.2 when forced to do so.

daxim
  • 39,270
  • 4
  • 65
  • 132
  • I have enabled the TLSv1.2 but how do I **disable** TLSv1.0 and TLSv1.1? Looks like setting `MOJO_NO_TLS` ENV variable totally disable TLS. Also is there a way to disable following: `ssl-3des-ciphers` and `ssl-static-key-ciphers`? I did look into [Mojo::Server::Hypnotoad](https://metacpan.org/pod/Mojo::Server::Hypnotoad) and [Mojo::Server::Daemonhttps://metacpan.org/pod/Mojo::Server::Daemon]() but din't find answer. – Sachin Dangol May 29 '19 at 06:32
  • 1
    This quickly turns into "how do I configure OpenSSL/IO::Socket::SSL". Read [`SSL_version` in `IO::Socket::SSL`](http://p3rl.org/IO::Socket::SSL#SSL_version) and [man ciphers](https://www.openssl.org/docs/man1.1.1/man1/ciphers.html). Configuring `TLSv1_2` already disables anything but 1.2. You can check with `openssl s_client -tls1_1 -connect localhost:8443`. – daxim May 29 '19 at 10:42
  • 1
    The configuration item is [`ciphers` in `Mojo::Server::Daemon`](http://p3rl.org/Mojo::Server::Daemon#ciphers), you didn't look carefully enough. Use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to find a recommended cipher string, I checked the "modern" profile and it does not contain 3DES nor static key cipher suites. [Open a new question](https://stackoverflow.com/questions/ask) if you don't understand. – daxim May 29 '19 at 10:42
  • Thanks again @daxim for the help. I understood. Fixed the issues. – Sachin Dangol May 30 '19 at 04:22