SSL Certificate Recommended Configurations

Periodically, UMBC tests all public-facing campus web servers for known SSL security vulnerabilities. These servers have a configured firewall rule that allows HTTP(s) traffic on a well-known port (TCP/80, TCP/443). Additional emphasis has been placed on servers that process confidential data. In our environment, we have identified these as being Risk Level 2 or greater. Each server is scanned individually for audit compliance, and a new ticket is generated for each result. The person who requested the firewall opening will be listed as the owner of the ticket, and is responsible for the continued security and safe operation of the server.

To assist those admins in making appropriate configuration options, DoIT has provided a list of recommended configuration parameters that should ensure not just compliance, but high security. At minimum, here are the major points:

  • TLS 1.2 should be the minimum supported protocol version. TLS 1.0 and 1.1 were deprecated in March 2021, and are no longer supported by Google, Microsoft, Apple, or Mozilla.
  • TLS 1.3 should be supported. This version removes a number of obsolete and insecure algorithms present in earlier versions, and is supported on every modern browser (the IE browser is no longer supported by Microsoft).
  • Certificates should not have a lifespan longer than one year.
  • The HTTP Strict Transport Security (HSTS) max-age should be 63072000 (two years).
  • HTTP connections should redirect to HTTPS.

Mozilla provides a convenient SSL Configuration Generator for creating config files for many popular web server applications. For maximum compatibility, choose the Intermediate option. Select the installed server software, its version number, and the installed OpenSSL version to generate a base config. Please note: additional options may be needed depending on the environment (virtual servers, authentication, etc). If there are any questions or concerns, please contact DoIT.