Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Securing your webLet’s Encrypt + StartSSL + HTTP by Default + Get “A” from Qualy’s SSL Server Test
Kitt Tientanopajai, D.Eng.DirectorBureau of Information TechnologyKhon Kaen University
Documents● This slide is available at
https://goo.gl/ePcB6M
● Scripts for this workshop are available athttps://goo.gl/DXw9SY
2
Workshop Requirements
3
● A linux box you want to enable SSL● Root access to your linux box.● A fully-qualified domain name (FQDN) that point to your
linux box.● MS Windows/IIS will also get benefits from this workshop.
Topics● Introduction● Get certificates for free
⚪ StartSSL⚪ Let’s Encrypt
● Basic HTTPS Configurations⚪ Apache HTTPD Server⚪ nginx⚪ Lighttpd
● HTTPS by default● Get “A” from Qualys SSL Test
4
Introduction
5
How HTTPS works
6
Private
PrivatePublic
CertificateServerBrowser
Built-in CA Cert
CA
Getting certificate for free
7
Self-Signed Certificate
8
● You can always create a certificate signed by yourself, or your own CA.
● All browser will not trust your certificates unless ⚪ Install root certificate ⚪ Manually trust
● Not recommended ⚪ You can get ones signed by trusted CA for free.
StartSSL● Provide free certificates (class 1) signed by trusted CA.● Visit https://www.startssl.com
⚪ Sign-up for an account⚪ Domain validation
◾ By e-mail to hostmaster, postmaster, or webmaster
⚪ Web server SSL/TLS certificate
9
● Generate a private key$ openssl genrsa -out privkey.pem 4096
● Generate the CSR$ openssl req -new -nodes -key privkey.pem -out domain.
csr
● Submit the CSR to StartSSL● Download the certificate
10
Basic HTTPS configuration
11
Generic Method
12
● Get a certificate for your domain⚪ Preferrably, signed by trusted CA
● Upload the certificate and the private key to the server.● Permission
⚪ root 644 for certificate file⚪ root 400 for private key file
● Config your HTTP server
Apache HTTP Server<virtualhost *:443>
SSLEngine on
...
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/privkey.pem
SSLCertificateChainFile /path/to/chain.pem
...
</virtualhost>
13
nginxserver {
listen 443 ssl;
...
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
...
}
14
Lighttpd$SERVER["socket"] == "0.0.0.0:443" {
...
ssl.engine = "enable"
ssl.pemfile = "/path/to/key+cert.pem"
ssl.ca-file= "/path/to/ca+chain.pem"
...
}
15
HTTPS by default
16
Generic Method
17
● Rewrite/redirect HTTP to HTTPS● Preferrably
⚪ All HTTP traffic must be rewrite/redirect to HTTPS⚪ Do this as early as possible⚪ Always use https:// in your HTML codes
Apache HTTP Server<virtualhost *:80>
RewriteEngine on
RewriteCond %{SERVER_NAME} = host.domain.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
[END,QSA,R=permanent]
</virtualhost>
18
nginxserver {
listen 80;
server_name host.domain.tld;
return 301 https://$server_name$request_uri;
}
19
Lighttpd$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
20
Let’s Encrypt
21
Let’s Encrypt● Let’s Encrypt is a certification authority (CA)
⚪ Specifically designed to be a ubiquitous and long-term solution to secure electronic transactions on the web.
● Trusted/supported by modern browsers⚪ Google Chrome⚪ Firefox⚪ Safari⚪ Internet Explorer / Edge
22
● Backed by top organizations⚪ Internet Security Research Group (ISRG)⚪ Electronic Frontier Foundation (EFF)⚪ Internet Society (ISOC)
● IETF accepted Let’s Encrypt protocol (ACME) and published an I-D. ACME will be an open standard when status changed to RFC.
● Visit https://letsencrypt.org
23
● ACME client source code is free (as in free speech)⚪ Automated tools
◾ Domain validation◾ Certificate issuance ◾ Certificate revocation◾ Configure your web servers
● Let’s Encrypt certificates are free (as in free beer)⚪ Rate limits https://letsencrypt.org/docs/rate-limits/
24
ACME Client● Official client: letsencrypt or certbot
⚪ From distro’s repository◾ letsencrypt◾ certbot
⚪ From eff.org # wget https://dl.eff.org/certbot-auto
# chmod 755 certbot-auto ● certbot will automatically install required packages from
the distro’s repository. ⚪ Let’s run
# ./certbot-auto --help25
ACME Domain Validation
26
2727
ACME Certificate Issuance
28
ACME Certificate Revocation
29
Let’s Encrypt Certificates● All Let’s Encrypt certificates will be expired in 90 days
after issued.⚪ Limit damage from key compromise and mis-issuance.⚪ Encourage automation, which is absolutely essential for ease-of-
use.● Let’s Encrypt allows to renew certificates 30 days before
they expire.
30
Let’s Encrypt with Apache HTTP● Simply run
# ./certbot-auto
● Enter FQDN of your web site● Enter your email
⚪ It can save your life later.● Read the Terms of Service
⚪ Agree or Cancel
31
(cont’d.)● Choose required or optional
⚪ Easy = Optional⚪ Secure = Required - redirect HTTP to HTTPS
● Choose “OK” .. Congrats, it’s done !⚪ No need to understand how X.509 works⚪ No need to manually generate a private key and a CSR ⚪ No need to configure your web server(s)⚪ No need to pay for certificates :)
32
Let’s Encrypt with nginx (and the others)● Right now, plugin for nginx is in experimental, but you can
ask certbot to just issue and install certificate in your linux box:
# ./certbot-auto certonly --standalone
● certbot will run its temporary web server to automate the process instead of using Apache.
33
(cont’d.)● Enter FQDN of your web
⚪ If you are running nginx (or other web servers) you have to stop it when Let’s Encrypt verify your domain.
● Done. Your certificate and key will be issued and saved in
/etc/letsencrypt/live/<hostname>/fullchain.pem
/etc/letsencrypt/live/<hostname>/privkey.pem
34
(cont’d.)● Edit nginx configuration to enable SSL/TLS
⚪ Point ssl_certificate to the fullchain.pem file⚪ Point ssl_certificate_key to privkey.pem file⚪ Start/restart nginx.
35
Certificate Renewal● Simply run
# ./certbot renew
● You can use cron to automate renewal process either /etc/cron.daily or /etc/cron.weekly
36
#!/bin/sh
service nginx stop
/path/to/certbot-auto renew --standalone
LE_STATUS=$?
service nginx start
if [ "$LE_STATUS" != 0 ]; then
echo Automated renewal failed:
exit 1
fi
37
Get “A” from Qualys SSL Labs Test
38
Qualys SSL Lab Test
39
● First, let’s try to see your current rating. ● Visit https://www.ssllabs.com/ssltest/
How to get “A”● Update/upgrade your server● Enable only TLS, and disable all SSL● Use only strong ciphers● Use strong Diffie-Hellman parameter for key exchange● Disable SSL compression● Use Online Certificate Status Protocol (OCSP)● Use HTTP Strict Transport Security (HSTS)
40
Get “A” for ApacheSSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
41
Get “A” for nginxlisten 443 ssl spdy;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_dhparam /path/to/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
42
Get “A” for Lighttpdssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.honor-cipher-order = "enable"
ssl.dh-file = "/path/to/dhparam.pem"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=31536000; includeSubdomains"
)
43
Q & A
Kitt Tientanopajai, D.Eng.([email protected])DirectorBureau of Information TechnologyKhon Kaen University
44