This site has been retired. For up to date information, see handbook.gnome.org or gitlab.gnome.org.


[Home] [TitleIndex] [WordIndex

StartSSL Certificate SOP

Contact Information

Owner: GNOME Sysadmin Team

Contact: #sysadmin

Persons: AndreaVeri

Purpose: Standardize SSL configuration

Description

The GNOME Infrastructure includes a number of web sites requiring security. The purpose of this document is to define the standard procedure and configuration of SSL for these sites.

Action

Sites should be configured using the following standards: 

 <VirtualHost subdomain.domain.tld:443>
     DocumentRoot /srv/httpd/subdomain.domain.tld/html
     ErrorLog /var/log/httpd/subdomain.domain.tld-error.log
     TransferLog /var/log/httpd/subdomain.domain.tld-access.log

     Header set Strict-Transport-Security "max-age=604800"
 
     SSLEngine on
     SSLProtocol all -SSLv2
     SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 
     SSLCertificateFile /etc/pki/tls/certs/subdomain.domain.tld.crt
     SSLCertificateKeyFile /etc/pki/tls/private/subdomain.domain.tld.key
     SSLCertificateChainFile /etc/pki/tls/sub.class2.server.ca.pem
     SSLCACertificateFile /etc/pki/tls/ca.pem
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 </VirtualHost>

note: the ca.pem and sub.class2.server.ca.pem files are available

ca.pem

sub.class2.server.ca.pem

2024-10-23 11:17