Educause Security Discussion mailing list archives
Re: Certificates
From: Mark Montague <markmont () UMICH EDU>
Date: Thu, 9 Sep 2010 18:01:24 -0400
On September 9, 2010 17:45 , Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM> wrote:
Just a comment about the quality of certs…If you have anything to do with personally identifiable information going over the network via the SSL be sure you get at least 128b with less crypto turned OFF in order to be complaint with PCI and other requirements.
I recommend that instead of trying to get a certificate that is labeled to not allow connections with strength of less than 128 bits, you configure your web server to disallow this and to also disallow known-weak protocols and cyphers. Configuring this in the web server rather than the certificate not only gives you more control but is more certain, in my opinion, and may save you money, too, depending on which certificate vendor you are using. As an example, here are the options I use for Apache HTTP Server 2.2.x:
SSLProtocol ALL -SSLv2 SSLCipherSuite ALL:!NULL:!LOW:!EXP:!ADHThis restricts the web server to using either SSLv3 or TLS only, together with 128 bit or stronger encryption.
-- Mark Montague markmont () umich edu
Current thread:
- Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Alex Keller (Sep 09)
- Re: Certificates Michael Johnson (Sep 09)
- Re: Certificates Mark Montague (Sep 09)
- Re: Certificates Flynn, Gary - flynngn (Sep 10)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Jack Suess (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)