[Ach] recommended settings for CAcert web servers

ianG iang at iang.org
Sat Dec 13 12:02:51 CET 2014

-------- Original Message --------
Subject: 	recommended settings for CAcert web servers
Date: 	Sat, 13 Dec 2014 11:58:37 +0100
From: 	Wytze van der Raay <wytze at cacert.org>
Reply-To: 	cacert-sysadm at lists.cacert.org
Organization: 	CAcert
To: 	CAcert System Administrators <cacert-sysadm at lists.cacert.org>

It appears that we still have some CAcert infrastructure systems running
a webserver with non-current setings with respect to SSL/TLS security.
Even though these systems are not critical for CAcert's operation, their
non-current configuration leaves a bad impression with the community
(see for example https://bugs.cacert.org/view.php?id=1342).

Therefore I'd like to ask all CAcert infrastructure administrators to take
a look at their webservers and see whether the SSL/TLS configuration needs
improvements. Here is what we recommend based on our experience with the
CAcert critical servers:

   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCertificateFile your-certificate-file
   SSLCertificateChainFile root.crt or class3.crt
   SSLCertificateKeyFile your-private-key-file
   Header always set Strict-Transport-Security "max-age=31536000"

If your server certificate is class 1, you should specify the root.crt
certificate file for SSLCertificateChainFile; when it is class3, you
should specify the class3.crt certificate file there.

You can easily have the quality of your server settings checked with:


Aside from the unavoidable "trust issues" (the CAcert root certificate is
not included in the major browsers), an "A" rating should be achieved for
all our web services:

    Overall Rating: T
    If trust issues are ignored: A

-- wytze

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20141213/ad763bc6/attachment.html>

More information about the Ach mailing list