Skip to content

Instantly share code, notes, and snippets.

@sebble

sebble/00-Introduction.md

Last active October 18, 2015 22:06
Show Gist options
  • Save sebble/bd58d3494299735c171d to your computer and use it in GitHub Desktop.
Save sebble/bd58d3494299735c171d to your computer and use it in GitHub Desktop.
Download ZIP
SSL Security
Raw
00-Introduction.md

SSL Security

Important -- This is information gathered from the internet and may be incorrect, dangerous, or just outdated. The configuration options chosen here are just an example.

See https://mozilla.github.io/server-side-tls/ssl-config-generator/ See https://shaaaaaaaaaaaaa.com/

Overview

  • 01 - Generate key, csr, extension (optional), crt, pem
  • 02 - Update protocols for web server
  • 03 - Test certificates

Resources

Notes

It is good practice to serve the full certificate chain, this also avoids the insecure certificate message on android devices. See http://stackoverflow.com/a/13864846.

There is a trade off between allowing theoretically (but impractically) insecure protocols and supporting all browsers, this concerns attacks on RC4 and BEAST. See https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what.

I've lost the information about generating DH keys, sorry - will add this if I find it, but DH may not be well supported or recommended. See http://security.stackexchange.com/questions/44251/openssl-generate-different-type-of-self-signed-certificate, https://gist.github.com/plentz/6737338.

Look into HSTS (although this may break a self-signed certificate). See https://scotthelme.co.uk/setting-up-hsts-in-nginx/.

State of SSL. See https://www.trustworthyinternet.org/ssl-pulse/.

Commands. See http://www.sslshopper.com/article-most-common-openssl-commands.html.

Raw
01-example.com.ext
[ example_http ]
nsCertType = server
keyUsage = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @example_http_subject
[ example_http_subject ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = *.example.com
Raw
01-generate-key.sh
# generate strong key (and request)
openssl req -out example.com.csr -new -newkey rsa:2048 -sha512 -nodes -keyout example.com.key
# note: '-new' may not be required, rsa:
# generate (only) request
openssl req -new -sha512 -key example.com.key -out example.com.csr
# add additional subdomains
vi example.com.ext
# sign certificate (self-signed only)
openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt
# OR
openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -extfile example.com.ext -extensions example_http
# concatenate key chain
cat example.com.crt bundle.crt > example.com.chained.pem
Raw
02-nginx-default.conf
# enable SSL
ssl on;
ssl_certificate /etc/ssl/certs/example.com.chained.pem;
ssl_certificate_key /etc/ssl/private/example.com.key;
# configure the protocols for reasonable security (matter of preference here)
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+RC4:EDH+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
# consider redirecting all http traffic
server {
listen 80;
server_name example.com;
return 302 https://example.com$request_uri;
}
Raw
03-test-keys.sh
echo Do the following match?
echo
openssl rsa -in example.com.key -modulus -noout
echo
openssl x509 -in example.com.crt -modulus -noout
echo
openssl x509 -in example.com.chained.pem -modulus -noout
echo
echo Does the following show success?
echo
openssl s_client -connect example.com:443
echo
echo Now try https://www.ssllabs.com/ssltest/analyze.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment