2. Apache2.2 - SSL

最後更新: 2016-10-08

 

介紹

 

 


設定 SSL Certicate 的位置

 

SSLCertificateFile

# This is your SSL certificate file for your domain

SSLCertificateFile /usr/local/ssl/crt/public.crt
 

SSLCertificateKeyFile

# This is your private key file

SSLCertificateKeyFile /usr/local/ssl/private/private.key

 

SSLCertificateChainFile

# This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt

 


一般設定

 

<IfModule mod_ssl.c>
    SSLEngine                 on
    SSLProtocol               -all +TLSv1.2
    SSLCipherSuite            HIGH
    SSLCertificateFile        /var/www/clients/client3/web4/ssl/your_domain.crt
    SSLCertificateKeyFile     /var/www/clients/client3/web4/ssl/your_domain.key
    SSLCertificateChainFile   /var/www/clients/client3/web4/ssl/your_domain.chain
    ....
</IfModule>

 


SSL Bundle

 

It's several certificates grouped together,

that all need to be installed to make sure the one you're trying to use is fully trusted.

SSLCACertificateFile /var/www/clients/your_domain.bundle

(all-in-one file) These are used for Client Authentication.

 


ISPConfig 建立 Cert. 的過程

 

在 plugins-enabled/apache2_plugin.inc.php 內有以下一行

exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048");

 


SSLPassPhraseDialog

 

SSLPassPhraseDialog builtin
( the default where an interactive terminal dialog occurs at startup time just before Apache detaches from the terminal. )
following reuse-scheme (all known Pass Phrases (at the beginning there are none, of course) are tried. )

# 不用人手入 password

SSLPassPhraseDialog exec:/ect/apache2/key.sh      <-- Permission: -rwx------ root root

key.sh:

#!/bin/bash
echo 'your pass phrase'

其他方法:

# stdin, stdout

|/path/to/program [args...]

# two arguments ("servername:portnumber" "RSA | DSA")

exec:/path/to/program

 


Strong Security

 

SSLCipherSuite

# colon-separated cipher-spec string consisting of OpenSSL cipher specifications

# Default: Depends on OpenSSL version (openssl ciphers -v | grep TLSv1.2)

# Accepts strong encryption only

SSLCipherSuite HIGH:!aNULL:!MD5

設定的 value 有

Key Exchange Algorithm: RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, Secure Remote Password

Authentication Algorithm: RSA, Diffie-Hellman, DSS, ECDSA, or none.

Cipher/Encryption Algorithm: AES, DES, Triple-DES, RC4, RC2, IDEA, etc.

MAC Digest Algorithm: MD5, SHA or SHA1, SHA256, SHA384.

Aliases:

HIGH         # all ciphers using Triple-DES
MEDIUM     # all ciphers with 128 bit encryption
LOW          # all low strength ciphers (no export, single DES)
SSLv3        # all SSL version 3.0 ciphers
TLSv1        # all TLS version 1.0 ciphers
aNULL       # all ciphers using no authentication

SSLProtocol

# TLSv1.2 Only

# Case-Insensitive
# -all SSLv3 TLSv1 TLSv1.1 TLSv1.2
SSLProtocol -all +TLSv1.2

Remark

Apache support 什麼 Version 的 TLS 係要看 OpenSSL library Version.

  • TLSv1.1, TLSv1.2(when using OpenSSL 1.0.1 and later)

# Disable SSLv3

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2

* CBC-mode ciphers <= POODLE (man-in-the-middle attacks)

# Testing

# tested does not support SSLv3

openssl s_client -connect example.com:443 -ssl3

 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1

Output:

CONNECTED(00000003)
140318663390888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
140318663390888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

# Apache 的 Default setting

apache 2.2:

All = "+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2"

# Openssl Version

openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

# 要 OpenSSL 1.0.1  先用到 TLSv1.1 及 TLSv1.2

# 只用 TLS 的 example

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

service httpd configtest

# Server 的要求優先

# Default: off
# normally the client's preference is used.
# If this directive is enabled, the server's preference will be used instead.

SSLHonorCipherOrder  on

P.S

Other http Service high security

nginx

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Dovecot

ssl_protocols = !SSLv2 !SSLv3

Postfix

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

MySetting

SSLProtocol       -All +TLSv1.2
SSLCipherSuite    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

 


Retrieve a list of the SSL/TLS cipher suites a particular website offers

 

https://datahunter.org/nmap#ssl-enum-ciphers.nse

 


SSLCompression

 

# Enable compression on the SSL level
# Default: off

SSLCompression on

 * Enabling compression causes security issues in most setups (the so called CRIME attack).

 

 


SNI 設定

 

Unlike SSL, the TLS specification allows for name-based hosts

# an extension to the SSL protocol called Server Name Indication

# include the requested hostname in the first message of its SSL handshake (connection setup).

* The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.

* Apache supports SNI since Version 2.2.12

The first (default) vhost for SSL name-based virtual hosts must include TLSv1 as a permitted protocol

SSLProtocol -all +SSLv3 +TLSv1

0000ssl.conf

# Ensure Load Module
LoadModule ssl_module modules/mod_ssl.so

# Ensure that Apache listens on port 443
Listen 443
    
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# off: Go ahead and accept connections for these vhosts
# on: non SNI clients are not allowed to access any name based virtual host belonging to 
#     this IP / port combination
SSLStrictSNIVHostCheck off

0001ssl.conf

<VirtualHost *:443>
        DocumentRoot "/home/virtualhosts/???/public_html"
        ServerName x.x.x:443
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol -all +SSLv3 +TLSv1
        SSLCipherSuite HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH
        SSLCertificateFile /etc/httpd/conf.d/ssl/???.crt
        SSLCertificateKeyFile /etc/httpd/conf.d/ssl/???.key
        SSLCertificateChainFile /etc/httpd/conf.d/ssl/???.ca.chain

        <Directory /home/virtualhosts/???/public_html>
                Options Includes FollowSymLinks
                AllowOverride All
        </Directory>

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>

        SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
</VirtualHost>

 

Common Log Format

#  defines the nickname "httpslog"

LogFormat  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %r %b" httpslog
CustomLog logs/access_log httpslog

# "\n" for new-line and "\t" for tab

  • %t    Time the request was received
  • %h    Remote host
  • %a    Remote IP-address
  • %r    First line of request
  • %b    Size of response in bytes, excluding HTTP headers.
  • %I    Bytes received, including request and headers
  • %O    Bytes sent, including headers

Example:

[30/Sep/2013:12:07:24 +0800] 192.168.88.1 TLSv1 DHE-RSA-AES256-SHA GET /system/image/icon/logo.gif

SNI Support

Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8 (because the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).

 


Other Options

 

SSLOptions

SSLOptions [+|-]option

Configure various SSL engine run-time options

StdEnvVars - the standard set of SSL related CGI/SSI environment variables are created.

DOC: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions

 


Centos 6/7 的 tips

 

在 centos 上的 httpd 要另外安裝 mod_ssl 後才支援 https

 


Other