Skip to Content.
Sympa Menu

cacert-sysadm - recommended settings for CAcert web servers

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

recommended settings for CAcert web servers


Chronological Thread 
  • From: Wytze van der Raay <wytze AT cacert.org>
  • To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
  • Subject: recommended settings for CAcert web servers
  • Date: Sat, 13 Dec 2014 11:58:37 +0100
  • Organization: CAcert

It appears that we still have some CAcert infrastructure systems running
a webserver with non-current setings with respect to SSL/TLS security.
Even though these systems are not critical for CAcert's operation, their
non-current configuration leaves a bad impression with the community
(see for example https://bugs.cacert.org/view.php?id=1342).

Therefore I'd like to ask all CAcert infrastructure administrators to take
a look at their webservers and see whether the SSL/TLS configuration needs
improvements. Here is what we recommend based on our experience with the
CAcert critical servers:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile your-certificate-file
SSLCertificateChainFile root.crt or class3.crt
SSLCertificateKeyFile your-private-key-file
Header always set Strict-Transport-Security "max-age=31536000"

If your server certificate is class 1, you should specify the root.crt
certificate file for SSLCertificateChainFile; when it is class3, you
should specify the class3.crt certificate file there.

You can easily have the quality of your server settings checked with:

https://www.ssllabs.com/ssltest/

Aside from the unavoidable "trust issues" (the CAcert root certificate is
not included in the major browsers), an "A" rating should be achieved for
all our web services:

Overall Rating: T
If trust issues are ignored: A

Regards,
-- wytze


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



  • recommended settings for CAcert web servers, Wytze van der Raay, 12/13/2014

Archive powered by MHonArc 2.6.18.

Top of Page