View Issue Details

IDProjectCategoryView StatusLast Update
0001262Main CAcert Websitemiscpublic2015-01-25 20:52
ReportersysfuAssigned Towytze 
Status solved?Resolutionfixed 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Product Version2014 Q1 
Target Version2014 Q2Fixed in Version2014 Q4 
Summary0001262: SslLabs B rating (if trust issues are ignored) for SSL/TLS setup
DescriptionThis issue has been partially address by , but there is still more work to do. Here's a link to the report

Outside of the chain of trust, these issues remain

* No TLS 1.2 support
* No Strict Transport Security (HSTS) support
* server does not support Forward Secrecy with the reference browsers
* BEAST attack not mitigated server-side
Steps To ReproduceVisit
TagsNo tags attached.
Reviewed by
Test Instructions


related to 0001241 needs feedbackwytze SSL/TLS configuration is bad on many levels 
parent of 0001260 needs workBenBE Make the source compatible with recent PHP versions 
Not all the children of this issue are yet resolved or closed.



2014-04-06 07:15

updater   ~0004694

The issues with missing TLS 1.2 support are known, but require a system upgrade currently blocked by bug 1260. Furthermore PFS is missing for simular reasons.

HSTS can be done and if no objections are received I can forward this to critical as this mainly is one header to deploy (but still requires some testing regarding the session handling).

Regarding the BEAST attack: If you want to support old browsers you can either choose to mitigate using RC4 or be vulnerable to BEAST. Given that RC4 is broken while BEAST requires much more effort and an active attack (together with some other vulnerabilities server-side) it's better to be vulnerable to BEAST than touch RC4.

But what could be done is deploying Content Security Policies which only adds as little as a header, but limits an attacker quite nicely.


2014-04-14 18:23

updater   ~0004716

fix broken link


2014-10-18 10:55

developer   ~0005058

After upgrading the CAcert chroot application environment to Debian Wheezy on October 17, 2014 (see, the SSL support has come more or less up-to-date. Rating is back up to A, aside from trust issues. Please check for details.


2014-12-01 15:44

developer   ~0005141

On 1 December 2014, SSL3 and 3DES support has been disabled on the CAcert webserver, while at the same time HSTS has been enabled. For details please check:

Together with the previous enhancements, this addresses all issues mentioned by the reporter of this bug, with the exception of the lack of server-side mitigation for the BEAST attack.

Server-side mitigation for BEAST would require us to turn RC4 support on, which brings more serious vulnerability problems with it. With BEAST being a pure client-side vulnerability, and most browsers having incorporated now sufficient protections against it, we believe that server-side mitigation for BEAST is no longer an issue, an opinion which appears to be shared by SSLLabs, who is *not* penalizing our security rating for the lack of it. Please check for the SSLLabs report for on 1 December 1 2014.

Issue History

Date Modified Username Field Change
2014-03-28 19:34 sysfu New Issue
2014-04-01 21:37 NEOatNHNG Relationship added related to 0001241
2014-04-06 07:15 BenBE Note Added: 0004694
2014-04-06 07:15 BenBE Status new => needs work
2014-04-06 07:15 BenBE Target Version => 2014 Q2
2014-04-06 07:20 BenBE Relationship added parent of 0001260
2014-04-14 18:23 MartinGummi Note Added: 0004716
2014-04-14 18:23 MartinGummi Description Updated View Revisions
2014-10-18 10:55 wytze Note Added: 0005058
2014-12-01 15:44 wytze Note Added: 0005141
2014-12-01 15:44 wytze Status needs work => solved?
2014-12-01 15:44 wytze Fixed in Version => 2014 Q4
2014-12-01 15:44 wytze Resolution open => fixed
2014-12-01 15:44 wytze Assigned To => wytze