HTTPSを正しく設定しよう

Transcript

1. HTTPSΛ ਖ਼͘͠ઃఆ͠Α͏ IIJ Technical NIGHT vol.5 Ϋϥ΢υຊ෦ ⅓㟒 Ұथ

2. ⅓㟒 Ұथ • ৽ଔೖࣾ6೥໨ • ॴଐ: Ϋϥ΢υຊ෦ Ϋϥ΢υαʔϏε1෦ 
 ύϒϦοΫϦιʔε1՝

   • ͓͠͝ͱ • IIJ GIOΠϯϑϥετϥΫνϟʔP2 • IIJ GIOϗεςΟϯάύοέʔδαʔϏε • ओʹύϒϦοΫΫϥ΢υͷϑϩϯτΤϯυ։ൃɾ ӡ༻

3. ҉߸Խ͕ඞཁͳ৔໘ • WebαΠτ ⾨ ࠓճ࿩͢ͱ͜Ζ • ϝʔϧ • DNS (DNSSEC)

   • SIP (IPి࿩) • SSH • VPN • ແઢLAN

4. WebαΠτΛHTTPSԽ͢Δͱ͖ • HTTPSͷϖʔδ಺ͰHTTPͷίϯςϯπΛಡΈ ࠐΉͱϒϥ΢βʹܯࠂ͕දࣔ͞ΕΔ • Mixed Contents ໰୊ • HTTPͰಡΈࠐΜͩίϯςϯπʢjsͳͲʣ͕վ

   ͟Μ͞Εͯ͠·͏ͱҙຯ͕ͳ͍ • ·ͱΊͯ҉߸Խ͠Α͏

5. HTTPSΛઃఆ͢Δͷ͸೉͍͠ • ऑ͍҉߸ɺ੬ऑͳ҉߸ • தؒূ໌ॻ͕ೖ͍ͬͯͳ͍ • ظݶ͕੾Εͨ…

6. SSL/TLSͷ࢓૊Έ 1. ઀ଓཁٻ 2. αʔόূ໌ॻΛૹ෇ 4. ڞ௨伴ૹ৴ ҉߸Խ͞Εͨڞ௨伴 ڞ௨伴 ڞ௨伴

   ҉߸Խ͞Εͨڞ௨伴 ൿີ伴 ূ໌ॻ 3. ڞ௨伴Λੜ੒ 5. ൿີ伴Ͱڞ௨伴ΛऔΓग़͢ ূ໌ॻ ૹΒΕ͖ͯͨެ։伴ͱ௨৴ઌ͕Ұக͢Δ͔ ిࢠॺ໊Ͱݕূ 6. ҆શʹަ׵ͨ͠ڞ௨伴Ͱ҉߸௨৴Λߦ͏ αʔόʔ ΫϥΠΞϯτ

7. ূ໌ॻΛ࡞Δ

8. ূ໌ॻΛखʹೖΕΔ ൿີ伴 ࣋ͪओΛݕূ ެ։伴Λॺ໊ ূ໌ॻ αʔόʔ ެ։伴 CSR(Certificate Signing Request)

   ެ։伴 DN ೝূہ CA: Certification Authority DN: DistinguishedName

9. ೝূہ͸ԿΛ֬ೝ͍ͯ͠Δͷ͔ ൿີ伴 ࣋ͪओΛݕূ ެ։伴Λॺ໊ ূ໌ॻ αʔόʔ ެ։伴 CSR(Certificate Signing Request)

   ެ։伴 DN ೝূہ CA: Certification Authority DV: Domain Validation υϝΠϯͷར༻ݖ OV: Organization Validation DV+૊৫ͷ࣮ࡏੑ EV: Extended Validation OV+υϝΠϯ໊ͱӡӦ૊৫ͱͷؔ܎

10. OpenSSLίϚϯυͰ࡞੒ $ openssl genrsa -des3 -out private.key 2048 Generating RSA

    private key, 2048 bit long modulus ............................+++ e is 65537 (0x10001) Enter pass phrase for private.key: $ openssl req -new -key private.key -out server.csr Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Chiyoda-ku Organization Name (eg, company) [Default Company Ltd]:Internet Initiative Japan Inc. Organizational Unit Name (eg, section) []:Cloud Division Common Name (eg, your name or your server's hostname) []:example.com ൿີ伴Λ࡞Δ CSRΛ࡞Δ DistinguishedNameΛฉ͔ΕΔͷͰೖྗ͢Δ

11. CFSSL: Cloudflare's PKI and TLS toolkit • jsonͰઃఆ஋Λ؅ཧɻࣗಈԽ΋Ͱ͖Δɻ { "CN":

    "example.net", "hosts": ["example.net",ɹ"www.example.net"], "key": {"algo": "ecdsa", "size": 256}, "names": [{"C": "US", "ST": "CA", "L": “San…”}] } $ cfssl genkey csr.json ൿີ伴ͱCSRΛੜ੒

12. ূ໌ॻΛઃఆ͢Δ

13. Apache HTTPD Server <VirtualHost *:443> ... SSLEngine on SSLCertificateFile /path/to/signed_cert_plus_intermediates

    SSLCertificateKeyFile /path/to/private/key ... </VirtualHost> SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off …

14. ൿີ伴ΛͲ͜ʹஔ͔͘ • HashiCorp Vault • “secret” ʹ҆શʹΞΫηε͢ΔͨΊͷπʔϧ • ൿີͷ৘ใΛ҉߸Խͯ͠อଘ͢ΔKey-Value Store

    • Φʔϓϯιʔε൛͸ແྉͰར༻Ͱ͖Δ

15. IIJαʔόূ໌ॻ؅ཧαʔϏε • Web UIͰൿີ伴ͱCSRͷ࡞੒͕Ͱ͖Δ • ࿈ܞαʔϏε(CDN, WebϗεςΟϯά)ͳΒࣗ ಈͰূ໌ॻΛΠϯετʔϧɺࣗಈߋ৽ • ൿີ伴ΛϢʔβ͕؅ཧ͢Δඞཁ͕ͳ͍

16. ϩʔυόϥϯαʔ͕͋Δߏ੒ ΫϥΠΞϯτ αʔόʔ αʔόʔ αʔόʔ ϩʔυόϥϯαʔ ϓϥΠϕʔτωοτϫʔΫ HTTP HTTPS HTTP

    HTTP ূ໌ॻ ൿີ伴

17. Pulse Secure Virtual Traffic Manager • IIJ GIOͰఏڙ͍ͯ͠ΔL7ϩʔυόϥϯαʔ • LB಺ͰͷCSRൃߦػೳ͕͋Δ

18. AWS: Elastic Load Balancing • AWS Certificate Managerͱ૊Έ߹ΘͤΔͱ DVূ໌ॻ͕औಘͰ͖Δɻʢࣗಈߋ৽΋Մೳʣ

19. ઃఆΛ֬ೝ͢Δ

20. OpenSSLͰݟͯΈΔ $ openssl s_client -CAfile /etc/ssl/certs/ca-bundle.crt -verify 10 - connect

    example.com:443 verify depth is 10 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 Verify return code: 0 (ok) Verify return code: 21 (unable to verify the first certificate) ͩΊͳͱ͖

21. SSL Server Test Powered by Qualys SSL Labs • ੬ऑੑ਍அɾ؅ཧαʔϏεΛఏڙ͢ΔQualys

    ࣾʹΑΔπʔϧ • ධՁج४͸ SSL Server Rating Guide

22. www.iij.ad.jp

23. தؒূ໌ॻͷઃఆϛε • தؒূ໌ॻ͸ϒϥ΢βͰิ׬͞ΕΔͷͰϛε ʹؾ͖ͮʹ͍͘

24. ༗ޮʹͳ͍ͬͯΔϓϩτίϧ

25. ϋϯυγΣΠΫγϛϡϨʔγϣϯ

26. ΑΓηΩϡΞͳ ઃఆʹ͢ΔͨΊʹ

27. Apache 2.2 on CentOS6 • SSLv3͕༗ޮ • RC4͕༗ޮ

28. Apache 2.4 on CentOS7 • 3DESͳͲͷऑ͍҉߸ΞϧΰϦζϜ͕༗ޮ

29. nginx 1.12.2 on CentOS7 • epelͳͷͰൺֱతྑ͍ઃఆ͕ೖ͍ͬͯΔ

30. σϑΥϧτͷઃఆ͸ऑ͍

31. certbotͷੜ੒͢Δઃఆ • certbot͸Let’s Encrypt ͷূ໌ॻΛऔಘɾߋ৽͢ΔεΫϦϓτ • apache2.2 + certbotͷઃఆ

32. Mozilla SSL Configuration Generator • ιϑτ΢ΣΞͱڧ౓ΛબͿͱ͓͢͢ΊઃఆΛ ࣗಈੜ੒

33. A+Λ໨ࢦ͢ʹ͸ • HSTS༗ޮԽ

34. HTTP Strict Transport Security • αʔό͕ϒϥ΢βʹରͯ͠HTTPSΛ࢖͏Α͏ʹ఻͑ Δ࢓૊Έ • ϒϥ΢β͕֮͑ͯ࣍ճҎ߱ڧ੍తʹHTTPSͰ
 ΞΫηε͢Δ

    • վ͟Μ͞ΕͨαΠτ΁ͷ༠ಋΛ๷ࢭ • Strict-Transport-Security ϔομΛ௥Ճ • securityheaders.com ͰϔομͷνΣοΫ͕Ͱ͖Δ

35. ELBͷηΩϡϦςΟϙϦγʔ • ࣄલʹఆٛ͞ΕͨʮηΩϡϦςΟϙϦγʔʯ ͕༻ҙ͞Ε͍ͯΔ

36. ΢Σϒϒϥ΢βʹ͓͚ΔTLS/SSL ͷରԠঢ়گ • IIJͰ͸αʔϏεԣஅͰ౷Ұతͳج४Λઃఆ • ࣮ࡍͷΞΫηεঢ়گΛݟͯ൑அ • ϝʔϧγεςϜ΍APIɺήʔϜػͳͲ͸
 ཁ஫ҙ •

    αʔόʔOS͸αϙʔτ͕௕͍

37. ϢʔβΛ஌Δ SSLOptions +StdEnvVars CustomLog logs/ssl_cipher.log "%t %h %{SSL_PROTOCOL}e %{SSL_CIPHER} e

    %{SSL_SESSION_ID}e %{SSL_SESSION_RESUMED}e" Nginx log_format ssl "$time_local $remote_addr $ssl_protocol $ssl_cipher $ssl_session_id $ssl_session_reused”; Apache2.4 nginx

38. PCI DSS Payment Card Industry Data Security Standard • Χʔυ৘ใηΩϡϦςΟͷࠃࡍ౷Ұج४

    • Χʔυ৘ใΛ؅ཧɺॲཧɺ఻ૹ͢Δ͢΂ͯͷ ૊৫͕ର৅ • v3.2 • 2018/06/30·ͰʹSSLͱTLS1.0ͱ1.1ͷҰ෦ ͷ࣮૷͸ഇࢭ

39. ূ໌ॻΛӡ༻͢Δ

40. ূ໌ॻͷ༗ޮظݶ͸௕͍ • ௨ৗͷূ໌ॻ͸࠷௕2೥༗ޮ • ߋ৽Λ๨Εͯ͠·͏ • ؂ࢹΛ͠Α͏ • IIJͰ͸ࣾ಺πʔϧͰ؂ࢹ

41. IIJ౷߹ӡ༻؅ཧαʔϏε ύτϩʔϧΫϥϦε

42. mackerel: ͸ͯͳͷ؂ࢹSaaS • URL֎ܗ؂ࢹͰূ໌ॻͷ༗ޮظݶ؂ࢹΛઃఆ

43. SSL؂ࢹ • ऑ͍҉߸ΞϧΰϦζϜ͕༗ޮʹͳ͍ͬͯͳ͍ ͔Ͳ͏͔Λఆظతʹ؂ࢹ • ࣾ಺Ͱ͸ઐ༻πʔϧͰ८ճ؂ࢹ • ূ໌ॻ؂ࢹΛઃఆ͢ΔͱࣗಈͰݕࠪ • ࣗ෼Ͱ࡞Δ৔߹͸

    • SSL Labs APIs ͱ CLIπʔϧ • rbsec/sslscan

44. ·ͱΊ • ࣗࣾαΠτΛνΣοΫ͠·͠ΐ͏ • σϑΥϧτͷઃఆ͸ऑ͍͜ͱ͕͋Γ·͢ • ͓͢͢ΊઃఆΛࢀߟʹ͠·͠ΐ͏ • ূ໌ॻ؂ࢹΛઃఆ͠Α͏ •

    ؂ࢹαʔϏεͰઃఆͯ͠ΈΑ͏ • ূ໌ॻΛ؅ཧ͢ΔαʔϏε΍ࣗಈԽπʔϧͰ؅ ཧͷෛ୲ΛݮΒָͯ͠ʹ҆શͳঢ়ଶΛ
 ҡ࣋͠Α͏