Hacker News new | past | comments | ask | show | jobs | submit login

The "Mozilla SSL Configuration Generator" has a checkbox for 'HSTS enabled?' and can generate SSL/TLS configs for Apache, Nginx, Lighttpd, HAProxy, AWS, ELB. https://mozilla.github.io/server-side-tls/ssl-config-generat...

You can select 'nginx', then 'modern', and then 'apache' for a modern Apache configuration.

Are the 'modern' configs FIPS compliant?

What browsers/tools does requiring TLS 1.3 break?

Because TLS 1.3 is sat in the Editor queue patiently alongside other RFCs there isn't, or shouldn't be, any software compatible with TLS 1.3 today. Implementations of the Draft 23 or other editions are deliberately incompatible with and must be replaced by the real TLS 1.3 after the Editor is done with it even though (as it stands) they are otherwise functionally identical.

Firefox, Chrome, and CloudFlare all already support (DRAFT) TLS 1.3: https://www.ghacks.net/2017/06/15/how-to-enable-tls-1-3-supp...

Apache mod_nss and nginx support (DRAFT) TLS 1.3.

The changes to allowed ciphers in TLS 1.3 could be implemented by modifying webserver config (e.g. as produced by the aforementioned Mozilla config generator tool). IDK what versions of (unupgraded) browsers that would cut off.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact