SSL Deployment Best Practices

Transcript

1. SSL Deployment Best Practices Jan Krutisch Ruby Usergroup Hamburg https://jan.krutisch.de/

   PGP-Key: A3E52A33 CF40 36B2 DBC8 83BA 29F1 3745 D400 34B1 A3E5 2A33

2. SSL? TLS?

3. Source: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:voip:tls_sips_rtps

4. Certificates

5. Free Not free Self signed CACert Commercial

6. Self signed

7. Security vs. Trust

8. None

9. Let’s go shopping http://www.flickr.com/photos/prozla/4937459350/

10. None

11. Deployment

12. TL;DR version

13. Apache

14. SSLEngine on SSLCertificateFile /etc/ssl/private/cert.crt SSLCertificateKeyFile /etc/ssl/private/private_key.key ! SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt

15. Nginx

16. ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/private_key.key;

17. Test!

18. https://www.ssllabs.com/ssltest/

19. https://www.ssllabs.com/ssltest/ Dafuq?!?

20. None

21. Common issues

22. Common issues according to my story

23. Cert Chain

24. None

25. Cipher Suites

26. RC4 vs. BEAST

27. TLS compression (CRIME)

28. BREACH?

29. Forward Secrecy

30. EDH vs. EECDH

31. Ephemeral (Elliptic Curve) Diffie Hellman

32. # Apache SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM

    EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ! # Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
33. None

34. Bam!

35. Domains vs. IPs

36. Server Name Indication

37. None
38. None