SSL enabled

I have created new SSL private keys for my webserver and had them signed by StartSSL. I used StartSSL simply for the fact that it is free and is accepted by almost every browser. Once Let's Encrypt by the EFF goes live I will of course exchange the certificate with one from Let's Encrypt.

These are the openssl commands I used to create the key and the certificate request:

# cd /etc/ssl/
# openssl genrsa -out www.key 2048
# openssl req -new -sha256 -key www.key -out www.csr

The next step is to copy and paste the contents of www.csr into the certificate form at StartSSL. I had to wait a few minutes for processing my request before I could finally copy and paste the certificate into www.crt.

I merged the key and the certificate and also downloaded the "StartSSL Class 1 Intermediate Server CA" so my webserver can send a complete certificate chain:

# cat www.key www.crt > www.pem
# wget -O ca.pem

I tuned the config of my webserver (lighttpd) to redirect users to the ssl enabled site by default and to not use any insecure cipher. After a few iterations I have come to an A score on the SSL Labs test. The default configuration has SSLv3 and several weak ciphers enabled. I simply tried several settings for sss.cipher-list that I found on the web and these are my final settings:

$HTTP["host"] == "" {
  $HTTP["scheme"] == "http" {
    url.redirect = ("^.*" => "$0")
  server.document-root = "/var/www/"

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.cipher-list = "AES256+EECDH:AES256+EDH:!aNULL:!eNULL"
  ssl.use-sslv3 = "disable"
  ssl.pemfile = "/etc/ssl/www.pem" = "/etc/ssl/ca.pem"

As a last step I made sure that www.key is only readable by the root user and that www.pem is only readable by the webserver. On my system its user and group is lighttpd. (The certificates do not contain any private data and may be world readable.)

# cd /etc/ssl
# chown lighttpd:lighttpd www.pem
# chmod 600 www.key
# chmod 400 www.pem