cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Wytze van der Raay <wytze AT cacert.org>
- To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: recommended settings for CAcert web servers
- Date: Sat, 13 Dec 2014 11:58:37 +0100
- Organization: CAcert
It appears that we still have some CAcert infrastructure systems running
a webserver with non-current setings with respect to SSL/TLS security.
Even though these systems are not critical for CAcert's operation, their
non-current configuration leaves a bad impression with the community
(see for example https://bugs.cacert.org/view.php?id=1342).
Therefore I'd like to ask all CAcert infrastructure administrators to take
a look at their webservers and see whether the SSL/TLS configuration needs
improvements. Here is what we recommend based on our experience with the
CAcert critical servers:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile your-certificate-file
SSLCertificateChainFile root.crt or class3.crt
SSLCertificateKeyFile your-private-key-file
Header always set Strict-Transport-Security "max-age=31536000"
If your server certificate is class 1, you should specify the root.crt
certificate file for SSLCertificateChainFile; when it is class3, you
should specify the class3.crt certificate file there.
You can easily have the quality of your server settings checked with:
https://www.ssllabs.com/ssltest/
Aside from the unavoidable "trust issues" (the CAcert root certificate is
not included in the major browsers), an "A" rating should be achieved for
all our web services:
Overall Rating: T
If trust issues are ignored: A
Regards,
-- wytze
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- recommended settings for CAcert web servers, Wytze van der Raay, 12/13/2014
Archive powered by MHonArc 2.6.18.