Thanks for your wonderful server, it has allowed me to bring excellent security to my web projects!!!
Unfortunately though, the most recent version of the windows build uses weak elliptic curves that do not support PCI DSS compliance (P-192 (prime192v1) (192 bits) and secp192k1 (192 bits)). I know it is easy to remove this curves with a re-build using Cygwin.... but I thought you might want to make your basic shipping version PCI DSS compliant by removing them from your on-line download Windows version of ver 10.8. I note your version of 10.8 running your site is PCI DSS compliant, so I'm not sure if the issue I raise above is only relevant to the Windows Build. Once again, thank you for your wonderful work. Respect, Gordon
30 March 2018, 19:39
The Windows version is the same as the other versions (Linux, BSD, etc). All use the same crypto library. So, I'm sure it's not the Windows version specific. In mbedtls/include/mbedtls/config.h, the MBEDTLS_ECP_DP_*_ENABLED define which curves are supported. Which one do you want to be disabled?
31 March 2018, 03:39
I think if you disable (P-192 (prime192v1) (192 bits) and secp192k1 (192 bits)) it will scan as PCI DSS compliant on most free scanners (Htbridge). This is likely good for most of your users when only TLS 1.2 is setup. Regards, Gordon
31 March 2018, 15:28
I've made a 10.8.1 version [download.leisink.net] (not an official release!). Please test this one and let me know what you think of it.
3 April 2018, 08:27
Htbridge reports 10.8.1 as being PCI DSS compliant out of the box! (Note: I run only tls 1.2 in my config... so I cant comment on 1.1 or 1.0).