Upload
others
View
80
Download
2
Embed Size (px)
Citation preview
1
(GCA)
Apache SSL
GCA SSL
Apache Server SSL
Apache 2.2.29 Apache 2.4.39
Web Server SSL
SSL
Linux Apache SSL .................................................................... 2
Linux Apache SSL ( 2019/09/02) ....................... 5
Linux Apache SSL ( 2019/09/02) ....................... 8
Windows Apache SSL ............................................................ 11
Windows Apache SSL ( 2019/09/02) ................ 15
Windows Apache SSL ( 2019/09/02) ................ 20
SSL ................................................................. 25
SSLv3.0TLS 1.0 TLS 1.1 ......................................................... 26
2
Linux Apache SSL
(1) Certificate Signing Request file, CSR
OpenSSL /usr/local/ssl/bin ( $
find / -name openssl -print )
(2) OpenSSL Heartbleed Bug
OpenSSLHeartbleed
Bug
$ openssl version
1.0.1 ~ 1.0.1f / 1.0.2-beta ~ 1.0.2-beta1
1.0.1g / 1.0.2-beta2
(3) 3-DESPEM( RSA 2048)
openssl
$ openssl genrsa -des3 -out server.key 2048
SSL
server.key
RSA 2048()
(4) server.key
(pass phrase)
Enter PEM pass phase:
TLS
(5) server.key
(6)
$ openssl req -new -key server.key -out certreq.txt
certreq.txt
3
GCA SSL
GCA
Country NameTW
State or Province Name enter
Locality Name(Taipei)
Organization Name(CHT)
Organizational Unit Name(:Information)
Common name(www.abc.com.tw
)
Email address (:[email protected])
challenge password enter
optional company name enter
(7)
$openssl req -noout -text -in certreq.txt
:
4
GCA(http://gca.nat.gov.tw) SSL
5
Linux Apache SSL
( 2019/09/02)
eCA GTLSCA
GCA SSL
SSL
Apache Server SSL
(1) GTLSCAPEM
https://gtlsca.nat.gov.tw/download/eCA1_GTLSCA.zip
(2) eCA1_GTLSCA.zipeCA1_GTLSCA.crt
eCA GTLSCA SSL
(1) SSL(*.cer)
SSL server.cer
(2) SSLDERPEM
$ openssl x509 -in server.cer -inform DER -out server.crt
PEM
6
DER
(3) Apache < 2.4.8
httpd-ssl.conf
\conf\extra\
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSLCertificateChainFileeCA1_GTLSCA.crt
7
SSL Server
Certificate Signing Request, CSR
SSL
(4) Apache >= 2.4.8
cat server.crt eCA1_GTLSCA.crt > server-chain.crt
mv server-chain.crt server.crt ( crt
)
httpd-ssl.conf
\conf\extra\
2
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSL Server
Certificate Signing Request, CSR
SSL
(5) Apache
(6) https port
(7) https SSL
8
Linux Apache SSL
( 2019/09/02)
GRCA GCA
GCA SSL
SSL GRCA GCA
Apache Server GRCA GCA
SSL
(1) GCAPEM
http://gca.nat.gov.tw/download/GRCA1_5_GCA2.zip
(2) GRCA1_5_GCA2.zipGRCA1_5_GCA2.crt
GRCA GCA SSL
(1) SSL(*.cer)
SSL server.cer
(2) SSLDERPEM
$ openssl x509 -in server.cer -inform DER -out server.crt
PEM
9
DER
(3) Apache < 2.4.8
httpd-ssl.conf
\conf\extra\
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSLCertificateChainFileGRCA1_5_GCA2.crt
10
SSL Server
Certificate Signing Request, CSR
SSL
(4) Apache >= 2.4.8
cat server.crt GRCA1_5_GCA2.crt > server-chain.crt
mv server-chain.crt server.crt ( crt
)
httpd-ssl.conf
\conf\extra\
2
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSL Server
Certificate Signing Request, CSR
SSL
(5) Apache
(6) https port
(7) https SSL
11
Windows Apache SSL
(1) Certificate Signing Request file, CSR
OpenSSL /bin
openssl.exe
(2) OpenSSL Heartbleed Bug
OpenSSL Heartbleed
Bug
$ openssl version
1.0.1 ~ 1.0.1f / 1.0.2-beta ~ 1.0.2-beta1
1.0.1g / 1.0.2-beta2
(3) Windows Apache
PEM( RSA 2048)
openssl
$ openssl genrsa -out 2048
12
SSL
server.key
RSA 2048()
(4) server.key
(5)
$ openssl req -new -key -out
WARNING: cant open config file
Apache openssl.cnf
set OPENSSL_CONF=
GCA SSL
GCA
Country NameTW
State or Province Name enter
Locality Name(Taipei)
Organization Name(CHT)
Organizational Unit Name(:Information)
13
Common name(www.abc.com.tw
)
Email address (:[email protected])
A challenge password enter
An optional company name enter
(6)
$openssl req -noout -text -in
:
14
GCA(http://gca.nat.gov.tw) SSL
15
Windows Apache SSL
( 2019/09/02)
eCA GTLSCA
GCA SSL
SSL
Apache Server SSL
(1) GTLSCAPEM
https://gtlsca.nat.gov.tw/download/eCA1_GTLSCA.zip
(2) eCA1_GTLSCA.zipeCA1_GTLSCA.crt
eCA GTLSCA SSL
(1) SSL(*.cer)
SSL server.cer
(2) SSLDER PEM
$ openssl x509 -in server.cer -inform DER -out server.crt
PEM
16
DER
(3) Apache < 2.4.8
httpd-ssl.conf
\conf\extra\
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSLCertificateChainFileeCA1_GTLSCA.crt
17
SSL Server
Certificate Signing Request, CSR
SSL
(4) Apache >= 2.4.8
eCA1_GTLSCA.crt
SSL
SSL(1)
18
SSL server.crt SSL
httpd-ssl.conf
\conf\extra\
2
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSL Server
Certificate Signing Request, CSR
SSL
19
(5) Apache
(6) https port
(7) https SSL
20
Windows Apache SSL
( 2019/09/02)
GRCA GCA
GCA SSL
SSL GRCA GCA
Apache Server GRCA GCA
SSL
(1) GCAPEM
https://gca.nat.gov.tw/download/GRCA1_5_GCA2.zip
(2) GRCA1_5_GCA2.zipGRCA1_5_GCA2.crt
GRCA GCA SSL
(1) SSL(*.cer)
SSL server.cer
(2) SSLDER PEM
$ openssl x509 -in server.cer -inform DER -out server.crt
PEM
21
DER
(3) Apache < 2.4.8
httpd-ssl.conf
\conf\extra\
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSLCertificateChainFileGRCA1_5_GCA2.crt
22
SSL Server
Certificate Signing Request, CSR
SSL
(4) Apache >= 2.4.8
GRCA1_5_GCA2.crt
SSL
SSL(1)
23
SSL server.crt SSL
httpd-ssl.conf
\conf\extra\
2
SSLCertificateFile(*.crt)
SSLCertificateKeyFile
SSL Server
Certificate Signing Request, CSR
SSL
24
(5) Apache
(6) https port
(7) https SSL
25
SSL
Apache OpenSSL Apache
http.conf http-ssl.conf SSLCipherSuite
HIGH:MEDIUM:!aNULL:!MD5(HIGH
encryption cipher suites AES 256 bit) (MEDIUM encryption
cipher suites AES 128 bit) OpenSSL AES 256
bit AES 256bit
OpenSSL
SSLCipherSuite
26
SSLv3.0TLS 1.0 TLS 1.1
SSL( httpd-ssl.conf) SSLProtocol
SSLProtocol All -SSLv2 -SSLv3 TLSv1 TLSv1.1 Apache
1
1:
http://www.icst.org.tw/NewInfoDetail.aspx?seq=1436&lang=zh
SSL
(1) TestSSLServerhttp://www.bolet.org/TestSSLServer/
(2) QUALYS SSL LABS SSL Server Test
(https://www.ssllabs.com/ssltest/index.html, CA/Browser Forum
) 2014 10
SSLv3 CVE-2014-3566
(POODLE) SSL V3 TLS
http://www.icst.org.tw/NewInfoDetail.aspx?seq=1436&lang=zhhttp://www.bolet.org/TestSSLServer/https://www.ssllabs.com/ssltest/index.html