首頁 » apache

2. Apache - SSL

由 datahunter 在 四, 03/05/2012 - 09:50 發表

最後更新: 2016-10-08

介紹

 

 

設定 SSL Certicate 的位置

 

SSLCertificateFile

# This is your SSL certificate file for your domain

SSLCertificateFile      ssl/datahunter.org/public.crt

* The files may also include intermediate CA certificates, sorted from leaf to root.

SSLCertificateKeyFile

# This is your private key file

SSLCertificateKeyFile   ssl/datahunter.org/private.key

SSLCertificateChainFile

# 非必要選項

# This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

SSLCertificateChainFile  ssl/crt/intermediate.crt

 * obsolete with version 2.4.8

    when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

 

一般設定

 

<IfModule mod_ssl.c>
    SSLEngine                 on
    SSLProtocol               -all +TLSv1.2
    SSLCipherSuite            HIGH
    SSLCertificateFile        /var/www/clients/client3/web4/ssl/your_domain.crt
    SSLCertificateKeyFile     /var/www/clients/client3/web4/ssl/your_domain.key
    SSLCertificateChainFile   /var/www/clients/client3/web4/ssl/your_domain.chain
    ....
</IfModule>

 

SSL Bundle

 

It's several certificates grouped together,

that all need to be installed to make sure the one you're trying to use is fully trusted.

SSLCACertificateFile /var/www/clients/your_domain.bundle

(all-in-one file) These are used for Client Authentication.

 

ISPConfig 建立 Cert. 的過程

 

在 plugins-enabled/apache2_plugin.inc.php 內有以下一行

exec("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 2048");

 

SSLPassPhraseDialog

 

SSLPassPhraseDialog builtin
( the default where an interactive terminal dialog occurs at startup time just before Apache detaches from the terminal. )
following reuse-scheme (all known Pass Phrases (at the beginning there are none, of course) are tried. )

# 不用人手入 password

SSLPassPhraseDialog exec:/ect/apache2/key.sh      <-- Permission: -rwx------ root root

key.sh:

#!/bin/bash
echo 'your pass phrase'

其他方法:

# stdin, stdout

|/path/to/program [args...]

# two arguments ("servername:portnumber" "RSA | DSA")

exec:/path/to/program

 

Strong Security

 

SSLCipherSuite

# colon-separated cipher-spec string consisting of OpenSSL cipher specifications

# Default: Depends on OpenSSL version (openssl ciphers -v | grep TLSv1.2)

# Accepts strong encryption only

SSLCipherSuite HIGH:!aNULL:!MD5

設定的 value 有

Key Exchange Algorithm: RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, Secure Remote Password

Authentication Algorithm: RSA, Diffie-Hellman, DSS, ECDSA, or none.

Cipher/Encryption Algorithm: AES, DES, Triple-DES, RC4, RC2, IDEA, etc.

MAC Digest Algorithm: MD5, SHA or SHA1, SHA256, SHA384.

Aliases:

HIGH         # all ciphers using Triple-DES
MEDIUM     # all ciphers with 128 bit encryption
LOW          # all low strength ciphers (no export, single DES)
SSLv3        # all SSL version 3.0 ciphers
TLSv1        # all TLS version 1.0 ciphers
aNULL       # all ciphers using no authentication

SSLProtocol

# TLSv1.2 Only

# Case-Insensitive
# -all SSLv3 TLSv1 TLSv1.1 TLSv1.2
SSLProtocol -all +TLSv1.2

Remark

Apache support 什麼 Version 的 TLS 係要看 OpenSSL library Version.

  • TLSv1.1, TLSv1.2(when using OpenSSL 1.0.1 and later)

# Disable SSLv3

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2

* CBC-mode ciphers <= POODLE (man-in-the-middle attacks)

# Testing

# tested does not support SSLv3

openssl s_client -connect example.com:443 -ssl3

 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1

Output:

CONNECTED(00000003)
140318663390888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
140318663390888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

Apache 的 Default setting

apache 2.2:

All = "+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2"

Openssl Version

openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

# 要 OpenSSL 1.0.1  先用到 TLSv1.1 及 TLSv1.2

# 只用 TLS 的 example

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

service httpd configtest

Server 的要求優先

# Default: off
# normally the client's preference is used.
# If this directive is enabled, the server's preference will be used instead.

SSLHonorCipherOrder  on

P.S

Other http Service high security

nginx

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Dovecot

ssl_protocols = !SSLv2 !SSLv3

Postfix

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

建議強度

https://ssl-config.mozilla.org/

MySetting

Apache 2.4

SSLProtocol         -All +TLSv1.2
SSLHonorCipherOrder on

# 用 "\" 分多行
SSLCipherSuite \
ECDHE-ECDSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-RSA-CHACHA20-POLY1305

 

Retrieve a list of the SSL/TLS cipher suites a particular website offers

 

https://datahunter.org/nmap#ssl-enum-ciphers.nse

 

SSLCompression

 

# Enable compression on the SSL level
# Default: off

SSLCompression on

 * Enabling compression causes security issues in most setups (the so called CRIME attack).

 

SNI 設定

 

Unlike SSL, the TLS specification allows for name-based hosts

# an extension to the SSL protocol called Server Name Indication

# include the requested hostname in the first message of its SSL handshake (connection setup).

* The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.

* Apache supports SNI since Version 2.2.12

The first (default) vhost for SSL name-based virtual hosts must include TLSv1 as a permitted protocol

SSLProtocol -all +SSLv3 +TLSv1

0000ssl.conf

# Ensure Load Module
LoadModule ssl_module modules/mod_ssl.so

# Ensure that Apache listens on port 443
Listen 443
    
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# off: Go ahead and accept connections for these vhosts
# on: non SNI clients are not allowed to access any name based virtual host belonging to 
#     this IP / port combination
SSLStrictSNIVHostCheck off

0001ssl.conf

<VirtualHost *:443>
        DocumentRoot "/home/virtualhosts/???/public_html"
        ServerName x.x.x:443
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn
        SSLEngine on
        SSLProtocol -all +SSLv3 +TLSv1
        SSLCipherSuite HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH
        SSLCertificateFile      ssl/???.crt
        SSLCertificateKeyFile   ssl/???.key
        SSLCertificateChainFile ssl/???.ca.chain

        <Directory /home/virtualhosts/???/public_html>
                Options Includes FollowSymLinks
                AllowOverride All
        </Directory>

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
        </Files>

        SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
</VirtualHost>

Common Log Format

#  defines the nickname "httpslog"

LogFormat  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %r %b" httpslog
CustomLog logs/access_log httpslog

# "\n" for new-line and "\t" for tab

  • %t    Time the request was received
  • %h    Remote host
  • %a    Remote IP-address
  • %r    First line of request
  • %b    Size of response in bytes, excluding HTTP headers.
  • %I    Bytes received, including request and headers
  • %O    Bytes sent, including headers

Example:

[30/Sep/2013:12:07:24 +0800] 192.168.88.1 TLSv1 DHE-RSA-AES256-SHA GET /system/image/icon/logo.gif

SNI Support

Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8 (because the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).

 

Other Options

 

SSLOptions

Configure various SSL engine run-time options

  • The most specific one is taken completely; the options are not merged.
  • directive are preceded by a plus (+) or minus (-) symbol, the options are merged.

Usage: SSLOptions [+|-]option

i.e.

<VirtualHost _default_:443>
    ...
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
</VirtualHost>

StdEnvVars

When this option is enabled, the standard set of SSL related CGI/SSI environment variables are created.

This per default is disabled for performance reasons

Doc: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions

 

SSLUseStapling

 

Enable stapling of OCSP responses in the TLS handshake.

It allows client software using SSL to communicate with your server

    to efficiently check that your server certificate has not been revoked.

stapling: defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

If enabled (and requested by the client),

    "mod_ssl" will include an OCSP response for its own certificate in the TLS handshake.

Config (C7)

SSLUseStapling   On
SSLStaplingCache shmcb:/run/httpd/ssl_stapling(32768)

 

要求必須 SSL

 

SSLRequireSSL

Context:    directory, .htaccess

Deny(403) access when SSL is not used for the HTTP request

 

 

Centos 6/7 的 tips

 

在 centos 上的 httpd 要另外安裝 mod_ssl 後才支援 https

 

Other

 

 

 

 

 

 

»
  • 瀏覽次數: 3268

Creative Commons license icon Creative Commons license icon