Securing your webLet’s Encrypt + StartSSL + HTTP by Default + Get “A” from Qualy’s SSL Server Test

Kitt Tientanopajai, D.Eng.DirectorBureau of Information TechnologyKhon Kaen University

Documents● This slide is available at

https://goo.gl/ePcB6M

● Scripts for this workshop are available athttps://goo.gl/DXw9SY

2

Workshop Requirements

3

● A linux box you want to enable SSL● Root access to your linux box.● A fully-qualified domain name (FQDN) that point to your

linux box.● MS Windows/IIS will also get benefits from this workshop.

Topics● Introduction● Get certificates for free

⚪ StartSSL⚪ Let’s Encrypt

● Basic HTTPS Configurations⚪ Apache HTTPD Server⚪ nginx⚪ Lighttpd

● HTTPS by default● Get “A” from Qualys SSL Test

4

Introduction

5

How HTTPS works

6

Private

PrivatePublic

CertificateServerBrowser

Built-in CA Cert

CA

Getting certificate for free

7

Self-Signed Certificate

8

● You can always create a certificate signed by yourself, or your own CA.

● All browser will not trust your certificates unless ⚪ Install root certificate ⚪ Manually trust

● Not recommended ⚪ You can get ones signed by trusted CA for free.

StartSSL● Provide free certificates (class 1) signed by trusted CA.● Visit https://www.startssl.com

⚪ Sign-up for an account⚪ Domain validation

◾ By e-mail to hostmaster, postmaster, or webmaster

⚪ Web server SSL/TLS certificate

9

● Generate a private key$ openssl genrsa -out privkey.pem 4096

● Generate the CSR$ openssl req -new -nodes -key privkey.pem -out domain.

csr

● Submit the CSR to StartSSL● Download the certificate

10

Basic HTTPS configuration

11

Generic Method

12

● Get a certificate for your domain⚪ Preferrably, signed by trusted CA

● Upload the certificate and the private key to the server.● Permission

⚪ root 644 for certificate file⚪ root 400 for private key file

● Config your HTTP server

Apache HTTP Server<virtualhost *:443>

SSLEngine on

...

SSLCertificateFile /path/to/cert.pem

SSLCertificateKeyFile /path/to/privkey.pem

SSLCertificateChainFile /path/to/chain.pem

...

</virtualhost>

13

nginxserver {

listen 443 ssl;

...

ssl_certificate /path/to/fullchain.pem;

ssl_certificate_key /path/to/privkey.pem;

...

}

14

Lighttpd$SERVER["socket"] == "0.0.0.0:443" {

...

ssl.engine = "enable"

ssl.pemfile = "/path/to/key+cert.pem"

ssl.ca-file= "/path/to/ca+chain.pem"

...

}

15

HTTPS by default

16

Generic Method

17

● Rewrite/redirect HTTP to HTTPS● Preferrably

⚪ All HTTP traffic must be rewrite/redirect to HTTPS⚪ Do this as early as possible⚪ Always use https:// in your HTML codes

Apache HTTP Server<virtualhost *:80>

RewriteEngine on

RewriteCond %{SERVER_NAME} = host.domain.tld

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}

[END,QSA,R=permanent]

</virtualhost>

18

nginxserver {

listen 80;

server_name host.domain.tld;

return 301 https://$server_name$request_uri;

}

19

Lighttpd$HTTP["scheme"] == "http" {

$HTTP["host"] =~ ".*" {

url.redirect = (".*" => "https://%0$0")

}

}

20

Let’s Encrypt

21

Let’s Encrypt● Let’s Encrypt is a certification authority (CA)

⚪ Specifically designed to be a ubiquitous and long-term solution to secure electronic transactions on the web.

● Trusted/supported by modern browsers⚪ Google Chrome⚪ Firefox⚪ Safari⚪ Internet Explorer / Edge

22

● Backed by top organizations⚪ Internet Security Research Group (ISRG)⚪ Electronic Frontier Foundation (EFF)⚪ Internet Society (ISOC)

● IETF accepted Let’s Encrypt protocol (ACME) and published an I-D. ACME will be an open standard when status changed to RFC.

● Visit https://letsencrypt.org

23

● ACME client source code is free (as in free speech)⚪ Automated tools

◾ Domain validation◾ Certificate issuance ◾ Certificate revocation◾ Configure your web servers

● Let’s Encrypt certificates are free (as in free beer)⚪ Rate limits https://letsencrypt.org/docs/rate-limits/

24

ACME Client● Official client: letsencrypt or certbot

⚪ From distro’s repository◾ letsencrypt◾ certbot

⚪ From eff.org # wget https://dl.eff.org/certbot-auto

# chmod 755 certbot-auto ● certbot will automatically install required packages from

the distro’s repository. ⚪ Let’s run

# ./certbot-auto --help25

ACME Domain Validation

26

2727

ACME Certificate Issuance

28

ACME Certificate Revocation

29

Let’s Encrypt Certificates● All Let’s Encrypt certificates will be expired in 90 days

after issued.⚪ Limit damage from key compromise and mis-issuance.⚪ Encourage automation, which is absolutely essential for ease-of-

use.● Let’s Encrypt allows to renew certificates 30 days before

they expire.

30

Let’s Encrypt with Apache HTTP● Simply run

# ./certbot-auto

● Enter FQDN of your web site● Enter your email

⚪ It can save your life later.● Read the Terms of Service

⚪ Agree or Cancel

31

(cont’d.)● Choose required or optional

⚪ Easy = Optional⚪ Secure = Required - redirect HTTP to HTTPS

● Choose “OK” .. Congrats, it’s done !⚪ No need to understand how X.509 works⚪ No need to manually generate a private key and a CSR ⚪ No need to configure your web server(s)⚪ No need to pay for certificates :)

32

Let’s Encrypt with nginx (and the others)● Right now, plugin for nginx is in experimental, but you can

ask certbot to just issue and install certificate in your linux box:

# ./certbot-auto certonly --standalone

● certbot will run its temporary web server to automate the process instead of using Apache.

33

(cont’d.)● Enter FQDN of your web

⚪ If you are running nginx (or other web servers) you have to stop it when Let’s Encrypt verify your domain.

● Done. Your certificate and key will be issued and saved in

/etc/letsencrypt/live/<hostname>/fullchain.pem

/etc/letsencrypt/live/<hostname>/privkey.pem

34

(cont’d.)● Edit nginx configuration to enable SSL/TLS

⚪ Point ssl_certificate to the fullchain.pem file⚪ Point ssl_certificate_key to privkey.pem file⚪ Start/restart nginx.

35

Certificate Renewal● Simply run

# ./certbot renew

● You can use cron to automate renewal process either /etc/cron.daily or /etc/cron.weekly

36

#!/bin/sh

service nginx stop

/path/to/certbot-auto renew --standalone

LE_STATUS=$?

service nginx start

if [ "$LE_STATUS" != 0 ]; then

echo Automated renewal failed:

exit 1

fi

37

Get “A” from Qualys SSL Labs Test

38

Qualys SSL Lab Test

39

● First, let’s try to see your current rating. ● Visit https://www.ssllabs.com/ssltest/

How to get “A”● Update/upgrade your server● Enable only TLS, and disable all SSL● Use only strong ciphers● Use strong Diffie-Hellman parameter for key exchange● Disable SSL compression● Use Online Certificate Status Protocol (OCSP)● Use HTTP Strict Transport Security (HSTS)

40

Get “A” for ApacheSSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"

SSLHonorCipherOrder on

SSLCompression off

SSLUseStapling on

SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Header always set Strict-Transport-Security "max-age=31536000;

includeSubDomains"

41

Get “A” for nginxlisten 443 ssl spdy;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

ssl_prefer_server_ciphers on;

ssl_dhparam /path/to/dhparam.pem;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4;

add_header Strict-Transport-Security "max-age=31536000;

includeSubDomains" always;

42

Get “A” for Lighttpdssl.use-sslv2 = "disable"

ssl.use-sslv3 = "disable"

ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

ssl.honor-cipher-order = "enable"

ssl.dh-file = "/path/to/dhparam.pem"

ssl.use-compression = "disable"

setenv.add-response-header = (

"Strict-Transport-Security" => "max-age=31536000; includeSubdomains"

)

43

Q & A

Kitt Tientanopajai, D.Eng.(kitt@kku.ac.th)DirectorBureau of Information TechnologyKhon Kaen University

44