[ocaml-infra] TLS (https) for ocaml.org

David Sheets dwws2 at cam.ac.uk
Wed Aug 20 14:47:11 BST 2014


Hello, world!

I just turned on SSLv3 and TLS 1.0, 1.1, 1.2 for ocaml.org using 
lighttpd's SSL engine. The ocaml.org server configuration does not 
appear to be version-controlled.

Here is what I did:

- loaded the private certificate onto ocaml.org
- symlinked private certificate into lighttpd's config
- symlinked lighttpd's default SSL configuration into "conf-enabled":

$SERVER["socket"] == "0.0.0.0:443" {
	ssl.engine  = "enable"
	ssl.pemfile = "/etc/lighttpd/server.pem"

	ssl.cipher-list = 
"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
	ssl.honor-cipher-order = "enable"
}

- reloaded the lighttpd daemon's configuration with /etc/init.d script
- tested that both the vanilla and encrypted HTTP ports work
- ran the Qualys SSL Tests 
<https://www.ssllabs.com/ssltest/analyze.html?d=ocaml.org>

Here's what the tests found:

- Prefix handling 	Not valid for "www.ocaml.org"   CONFUSING
   This causes a Big Scary Warning when accessing via www.ocaml.org
- Chain issues 	Incomplete
   This requires another download of the Gandi Standard SSL CA cert.
   Maybe we should bundle this cert for all our TLS sites?
- RC4 	Yes (with TLS 1.1 and newer)   WEAK
   I don't know the severity of this issue. Maybe a simple cipher-list
   modification? I'm not clear on the compatibility story.
- Forward Secrecy 	With some browsers
   This also looks like a configuration issue. Perhaps plain DHE would
   help?

I welcome any feedback here or on 
<https://github.com/ocaml/ocaml.org/issues/399>. Please test the site, 
recommend configuration changes, and look for mixed content issues on 
all pages. The goal is to get the TLS-served version of the site ready 
to be pointed at by the middle next week.

Thanks,

David


More information about the Infrastructure mailing list