Monthly Archives: January 2016

HTTPS configuration made easy

I know a lot of people struggle with configuring SSL on their web server. A quick trip to Qualys SSL Labs to see the “Recent Worst” validates that. However, there’s a tool that can easily bring your web server up to the best current operating practice.

Check out the Mozilla SSL Configuration Generator. However, before hastily you cut and paste the generated code, take a few minutes to understand the implications between choosing “Modern”, “Intermediate” and “Old”. Modern, which is what this website uses, has the fewest supported browsers but the best security. Old has the most supported browsers and the laxest security; using Old is a terribly bad idea and should really never be done. For many, Intermediate is a nice balance of both browser support and security.

The recommendations from the code generator change often and your should check back regularly to make sure you are still running the best current configuration.

There are also many hints, tips and tricks available at Qualys.

Until recently, there has been little motivation to encrypt websites that do not necessarily need it. However, that has changed. Let’s Encrypt has just disrupted the industry by offering free SSL certificates to anyone. Let’s Encrypt is overseen by the Internet Security Research Group, a California public benefit corporation, whose benevolent agenda includes securing the Internet at large. Bravo! We will post about using Let’s Encrypt in the near future.

If you now have a certificate from Let’s Encrypt and some very secure configuration, it’s now time to force your users to use HTTPS/443, while maintaining backwards compatibility so that users clicking on Google search results won’t receive a server timeout message when connecting to your now legacy HTTP/80. Check out our earlier post on how best to do this.

Additionally, make sure your SSL certificate is SHA-2, or all the above security implementations could be for naught. All Let’s Encrypt certificates are SHA-2/SHA-256. Read this Ars Technica article and this blog post for more information on transitioning to SHA-2. All certificates issued after January 1st, 2016 are required to be SHA-2. Never hurts to double check this however. Most certificate authorities are now also reissuing your old, but still valid certificates, as SHA-2 at no charge.

There’s a very quick check you can do to check whether your certificate is SHA-1 or SHA-2 available at Happy to report that this website received the ever-so-desirable “Nice” rating.

Installing Python package manager pip on FreeBSD

UPDATE: You can now install pip using pkg.

[cmp@server ~]# pkg install py27-pip
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        py27-pip: 9.0.1

Number of packages to be installed: 1

The process will require 13 MiB more space.
2 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching py27-pip-9.0.1.txz: 100%    2 MiB 858.8kB/s    00:03    
Checking integrity... done (0 conflicting)
[1/1] Installing py27-pip-9.0.1...
Extracting py27-pip-9.0.1: 100%


Original post
Somewhat strangely, pip is not installed when you install Python using FreeBSD’s pkg. However, there’s a very simple fix.

[cmp@server ~]# python -m ensurepip
Ignoring indexes:
Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/local/lib/python2.7/site-packages
Collecting pip
Installing collected packages: pip
Successfully installed pip-7.1.2

[cmp@server ~]# pip
pip     pip2    pip2.7