[ocaml-infra] TLS (https) for ocaml.org
Hannes Mehnert
hannes at mehnert.org
Wed Aug 20 16:13:45 BST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
First some disclaimers:
- - I'm not a lighthttpd expert
- - I don't know what is to protect on ocaml.org (what the security
model is)
On 08/20/2014 15:47, David Sheets wrote:
> ssl.cipher-list =
> "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
>
>
- - Prefix handling Not valid for "www.ocaml.org" CONFUSING
> This causes a Big Scary Warning when accessing via www.ocaml.org
you might want to enable https only for ocaml.org, docs.ocaml.org,
forge.ocaml.org, lists.ocaml.org, and opam.ocaml.org (those hostnames
mentioned in the certificate)?
> - Chain issues Incomplete This requires another download of the
> Gandi Standard SSL CA cert. Maybe we should bundle this cert for
> all our TLS sites?
Yes, that should be done. While my firefox does not complain about the
certificate chain (most likely it already has ghandi's certificate
installed), the server should distribute the chain up till the
self-signed CA certificate -- thus please include ghandi's cert.
> - RC4 Yes (with TLS 1.1 and newer) WEAK I don't know the
> severity of this issue. Maybe a simple cipher-list modification?
> I'm not clear on the compatibility story.
windows XP with (unpatched) IE6 still supports only 3DES and RC4,
other OS should be fine without RC4
(http://blog.cloudflare.com/killing-rc4-the-long-goodbye might be of
interest); also
http://www.ietf.org/id/draft-ietf-tls-prohibiting-rc4-00.txt
> - Forward Secrecy With some browsers This also looks like a
> configuration issue. Perhaps plain DHE would help?
I'd remove the !EDH from the ssl.cipher-list above (and add a !RSA
instead to prevent non-pfs connections). Also, why !AESGCM? I'd also
add !RC4, !eNULL, !LOW, !EXP (from
https://bettercrypto.org/static/applied-crypto-hardening.pdf)
hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCQAGBQJT9LspAAoJELyJZYjffCju3KMP/3Jv8ryGYcNNG71ApCY6RMDb
gj8kQehVqWRVoQxkLnot63ovaz1U56tBrd8sq7fmcVUSEyZlxODzW4PZAxL6bPD/
ddbESw4QHcoyrVqObgir0GUk05xfYPey19J0adA+4HPjAlIXnGxoZoskiiJpOE9x
JEDzvs3TST4j/Abybp+ida0HSdt0cUYFFf++qHY6/ej0M6WOxVbq7eh5GS7x1lGf
hRf9VrMR4i4J0uWOxBR7BK8ZUDkM6BE6IoB+iG5XFH1kP4pCsvkWl9xOnhFtcBm0
sjjWR34udPUcYl2MxhovoBSk3wKm5jvtvvFAIkdIM4L0EXRAjLy2xS8ZLun9yYHE
0yhH0kgjcuqYcN1Cexe0rFadhpmlyf6EUZkfnHqVMcPEdwvi11PA4489BPoavwpz
puXYZP7x3RlgBbKyJxPXMltB+4EvQYtzEdjUbHjAw20/QKZnuiuezaYXQsiVylNT
IphJS1Tv3+/izsMQohHV2MayDznAmsTLYSkL5adGe809A2OwDhMoc25UQCVbGR7t
UtWdeJ+W0+7mjHatBoOBaSv/q2MIczehRlGXFQuxyGh8/L1lWMH80XWBFONYVBTO
F3wvhfQLAfWsFYyLgi0noVPjWfPpMwg4Up0OlvL7CuQmqDJ2NDG9riy2LsPFBZAO
l+1zLIIsD5gQgzyM/Lfk
=HXzM
-----END PGP SIGNATURE-----
More information about the Infrastructure
mailing list