As sysadmin, I am trying to set up my environments as secure as possible. csync2 uses SSL, which is already a good start, however the current implementation does not allow for a few features I would like to set to meet our security standards. I would like to:
- have the documentation updated to use keys longer than 1024 bits (it works with 4096).
- be able to configure the file names of the certificate and key in the configuration file
- check key file and ssl key permissions on application start (e.g. mode 0600, owned by the user running it or mode 0640, owned by root and readably by a group the user running the application if != root)
- use passwords on the ssl key
- restrict the protocol to TLSv1.2 or higher
- restrict the allowed ciphers
- use a certificate tied to the actual host name instead of sharing the self-signed certificate across hosts
- validate the CA key chain (I can use a certificate signed by a CA instead of self signed certs, but as the CA certificate is not checked, this is quite irrelevant)
- use perfect forward secrecy
As sysadmin, I am trying to set up my environments as secure as possible. csync2 uses SSL, which is already a good start, however the current implementation does not allow for a few features I would like to set to meet our security standards. I would like to: