Interesting. What vulnerabilities does OpenBSDs httpd protect against, which a properly hardened net/http does not?
The problem with proxying through OpenBSD's server, nginx or any other server is that there is another moving part that you need to master, configure, monitor, and which may have its own vulnerabilities. Filippo, who wrote the blog, is now on the core go team, and working on Go Crypto and getting hardened behaviour by default. See https://blog.filippo.io/hi/ and https://go.googlesource.com/proposal/+/master/design/cryptography-principles.md This would be welcome, as hardening net/http requires a couple of dozen lines of boilerplate code. As you say, his blog post is four years old, and four years is a long time in crypto land, it would be great if we got some updated recommendation from Filippo. The default behavior has been improved. SSLv3 for instance will be removed when Go 1.14 comes out (in a few days time). Perhaps we could coax Filippo to write a Go blog with his updated best practices? On Friday, 21 February 2020 11:15:53 UTC, Kevin Chadwick wrote: > > On 2020-02-21 01:42, DrGo wrote: > > Are there more up-to-date recommendations for go 1.13? > > Personally I run Go behind either app engine or via fcgi behind OpenBSD > httpd. > I'm not sure any other https server has the same level of key protection > as > revamped in OpenBSDs httpd (separate to LibreSSL), since heartbleed > (despite not > being as vulnerable as most). > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/05e2f98e-e443-4fe6-b2b4-1f47a7eae730%40googlegroups.com.
