[Ach] recommended settings for CAcert web servers

[ianG]

-------- Original Message --------
Subject: 	recommended settings for CAcert web servers
Date: 	Sat, 13 Dec 2014 11:58:37 +0100
From: 	Wytze van der Raay <wytze at cacert.org>
Reply-To: 	cacert-sysadm at lists.cacert.org
Organization: 	CAcert
To: 	CAcert System Administrators <cacert-sysadm at lists.cacert.org>



It appears that we still have some CAcert infrastructure systems running
a webserver with non-current setings with respect to SSL/TLS security.
Even though these systems are not critical for CAcert's operation, their
non-current configuration leaves a bad impression with the community
(see for example https://bugs.cacert.org/view.php?id=1342).

Therefore I'd like to ask all CAcert infrastructure administrators to take
a look at their webservers and see whether the SSL/TLS configuration needs
improvements. Here is what we recommend based on our experience with the
CAcert critical servers:

   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
   SSLCertificateFile your-certificate-file
   SSLCertificateChainFile root.crt or class3.crt
   SSLCertificateKeyFile your-private-key-file
   Header always set Strict-Transport-Security "max-age=31536000"

If your server certificate is class 1, you should specify the root.crt
certificate file for SSLCertificateChainFile; when it is class3, you
should specify the class3.crt certificate file there.

You can easily have the quality of your server settings checked with:

    https://www.ssllabs.com/ssltest/

Aside from the unavoidable "trust issues" (the CAcert root certificate is
not included in the major browsers), an "A" rating should be achieved for
all our web services:

    Overall Rating: T
    If trust issues are ignored: A

Regards,
-- wytze




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20141213/ad763bc6/attachment.html>