HTTPS is a well-known HTTP protocol, covered with a layer of SSL/TLS encryption goodness. This protocol is intended to provide confidentiality and integrity by encrypting communications between your server and your end users, rendering your data secure from prying eyes.
4D v16 R6 takes it a step further: 4D Web server now supports Perfect Forward Secrecy (PFS). This provides you with the highest security level for your communications – by default! Beyond the protection it provides, the support of PFS also increases the SSL audit test results of an out-of-the-box 4D server, which is great for our customers. Especially those working with sensitive information.
Increased DEFAULT security
4D Web server’s default security level has been increased to be compliant with certain networking security features (App Transport Security (ATS) on iOS, for instance), and to obtain better test results on web security audit tests (e.g: SSL Labs).
To achieve this, we have:
- enabled Perfect Forward Secrecy, and
- disabled the RC4 algorithm from the cipher list.
As a result, 4D Web server now earns an “A” ranking from SSL Labs’ Server Test – as is, no actions required!
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) is a key exchange algorithm. It uses Diffie-Hellman (DH) algorithms to generate session keys in such a way that only the two parties involved in the communication can obtain them.
4D automatically enables PFS when TLS is activated on the server. For this, 4D generates a “dhparams.pem” file – if it doesn’t already exist – that contains the DH private key of your server. If you use 4D’s standard cipher list, PFS is ready to use. If you prefer to use a custom cipher list, verify that it contains entries with ECDH or DH algorithms.
To find out if PFS is enabled on your web server, execute the WEB Get server info command with the new perfectForwardSecrecy attribute. This checks if all conditions needed to use PFS are met:
- TLS is enabled
- Cipher list contains a least one ECDH or DH algorithm
- “dhparams.pem” file is present and valid
- All the SSL/TLS certificates are present
RC4 algorithm disabled
The RC4 algorithm has known security issues and is now deprecated in 4D Web Server. All RC4 ciphers have been removed from the default cipher list and the “!RC4” pattern has been added to the updated cipher list to explicitly prohibit it.