-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
w3id.org https configuration #1569
Comments
I think the apache setup was different before and addressed this, but went back to defaults when apache was reinstalled at one point. Hard to tell what is the most recent best practice. Would be nice if the defaults just did the best thing. I went with adding this via random Internet advice:
I'm unsure if disabling older TLS is wise on this site. It would be good to support older clients that can't upgrade. Newer clients will use newer protocols. Major sites like google still have older TLS enabled. We've had real world issues with apps that couldn't even handle let's encrypt certs, so I imagine older TLS support could be an issue too. I added a log to see what protocols are being used, and will check back on that later. Leave this open for now. Good spot for complaints if the cipher suite change broke something. |
Also, if anyone thinks the suites should be explicit vs that "ALL", suggest an alternative. Thanks. |
Not encouraging older TLS use, but accepting it if it is used, seems like a pragmatic approach. Apache logs are almost all TLSv1.2 in last ~20h or so. 286 TLSv1 requests, some from ssllabs testing, a bunch from attackers poking at wordpress urls that don't exist or similar. But the rest look like the could be real data. Maybe all bots, who knows. I'll leave that running for a while. This is the sort of thing I'm tempted to just revisit in a year. |
It hasn't been running for a full year yet, but it's time to revisit this. The certificate for w3id.org was soon to expire so we switched over to letsencrypt. I imagine this will be mostly transparent to everyone, but if anyone has a problem, let us know. Does anyone have thoughts on what the current apache configuration should be? certbot wants to use something like this: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire But the config was left as before to avoid service disruption: SSLHonorCipherOrder on
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 That does still cap the ssllabs score at B, but modern clients should do the right thing. To provide some insight into what's being used, here's the recent version stats:
And version+suite stats:
I imagine most of that is bots, but TLSv1 usage is not zero. While we could analyze what that 0.388% TLSv1 usage is for, perhaps we should just shut that off at this point and maybe those clients will adapt? Or at least shut it off until someone lets us know it's needed for a niche purpose. Other than disabling certain protocols, I'm not sure how those other suggested config lines would effect service users. Comments? |
I noticed that while accessing w3id through https with prepended "www" major browsers like Chrome output a security warning with the message NET::ERR_CERT_COMMON_NAME_INVALID. It seems to be that there is no SSL certificate in place for https://www.w3id.org/ecsel-dr but only https://w3id.org/ecsel-dr. Is this behavior intended and can you replicate it? |
@ifx-dr Thanks for noticing, should be fixed now. When switching to letsencrypt we forgot to add the www alias. The www URL requests always redirect to the non-www URL so it's best to not use them and avoid the extra redirect. |
I made a check of the https configuration of the w3id.org server using the Qualys SSL Labs server test -> https://www.ssllabs.com/ssltest/analyze.html?d=w3id.org
I'm seeing grade B, which I think is sub-optimal for a piece of web infrastructure that is as important as w3id.org is.
I believe this should be improved by:
adding !kRSA to the SSLCipherSuite configuration option (to get forward secrecy);
disabling the now almost obsolete TLS v.1.0 and 1.1 by restricting SSLProtocol to just "TLSv1.2".
Best regards
Jan Dvorak
leader, CERIF & CRIS Architecture Task Group, euroCRIS
https://github.com/perma-id/w3id.org/tree/master/cerif
The text was updated successfully, but these errors were encountered: