[ocaml-infra] TLS (https) for ocaml.org
David Sheets
dwws2 at cam.ac.uk
Wed Aug 20 14:47:11 BST 2014
Hello, world!
I just turned on SSLv3 and TLS 1.0, 1.1, 1.2 for ocaml.org using
lighttpd's SSL engine. The ocaml.org server configuration does not
appear to be version-controlled.
Here is what I did:
- loaded the private certificate onto ocaml.org
- symlinked private certificate into lighttpd's config
- symlinked lighttpd's default SSL configuration into "conf-enabled":
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
ssl.cipher-list =
"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
}
- reloaded the lighttpd daemon's configuration with /etc/init.d script
- tested that both the vanilla and encrypted HTTP ports work
- ran the Qualys SSL Tests
<https://www.ssllabs.com/ssltest/analyze.html?d=ocaml.org>
Here's what the tests found:
- Prefix handling Not valid for "www.ocaml.org" CONFUSING
This causes a Big Scary Warning when accessing via www.ocaml.org
- Chain issues Incomplete
This requires another download of the Gandi Standard SSL CA cert.
Maybe we should bundle this cert for all our TLS sites?
- RC4 Yes (with TLS 1.1 and newer) WEAK
I don't know the severity of this issue. Maybe a simple cipher-list
modification? I'm not clear on the compatibility story.
- Forward Secrecy With some browsers
This also looks like a configuration issue. Perhaps plain DHE would
help?
I welcome any feedback here or on
<https://github.com/ocaml/ocaml.org/issues/399>. Please test the site,
recommend configuration changes, and look for mixed content issues on
all pages. The goal is to get the TLS-served version of the site ready
to be pointed at by the middle next week.
Thanks,
David
More information about the Infrastructure
mailing list