コピペでQualys SSL Server Test A+ ゲットだぜ！

Transcript

1. ίϐϖͰQualys SSL Server Test A+ ήοτͩͥʂ atpons @ IGGG Meetup

   2016 Summer

2. ࣗݾ঺հ

3. atpons / ϙϯਣ

4. https://atpons.com/ ϗεςΟϯά࣌ͷ஌ݟ

5. Έͳ͞Μ SSL ͯ͠·͔͢ʁ

6. Έͳ͞Μ TLS ͯ͠·͔͢ʁ

7. None

8. ҆શͳ઀ଓ

9. ੲͷৗࣝ

10. ূ໌ॻߴ͍

11. ࠓͷৗࣝ

12. None

13. ແྉͷূ໌ॻ

14. ςετ؀ڥ

15. - Ubuntu 16.04.1 LTS - Apache/2.4.18 (Ubuntu) - $ sudo

    letsencrypt —-apache ࡁ ˎˎˎˎˎˎˎˎˎˎ on DigitalOcean

16. ͳɺͳΜͩͬͯʁ

17. ʮnginxʯͩͱʁ

18. ;ɺ;͚͟Δͳ ✊

19. ʮApacheʯͰ ѹ౗త੒௕

20. SSL/TLSͷ੬ऑੑ

21. Heartbleed POODLE etc…

22. HTTPSαʔό ઃఆͷॏཁੑ

23. SSL/TLS͸ ༗ޮ͚ͩͰ͸ ҙຯ͕ͳ͍

24. ݹ͍ Cipher SuiteͰ͸ ҙຯ͕ͳ͍

25. Cipher Suite ʹԿΛબͿ 5-4పఈԋश
    
    4QFBLFS
    %FDL
    IUUQTTQFBLFSEFDLDPNTIJHFLJUMTDIFEJZBOYJ
    ΑΓҾ༻ ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE
    4FDSFDZ %)& &$%)&

    σδλϧॺ໊ 34" %44
    %4" &$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ
    ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺ
    
    ԫɿ஫ҙɺ
    ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ
    ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ Cipher Suite

26. HTTPSαʔόςετͷ ॏཁੑ

27. Qualys SSL Server Test

28. Qualys SSL Server Test

29. ͱΓ͋͑ͣ͜͜Ͱ A+ औͬͯQiitaʹࡌͤ Ε͹͍͍ΜͰ͠ΐ

30. None

31. HTTPSαʔό ઃఆͩΔ͍ʁ

32. ྑ͍ײ͡ͷ configΛు͘

33. Mozilla SSL Configuration Generator

34. https://mozilla.github.io/ server-side-tls /ssl-config-generator/

35. σϞ

36. Demo • Mozilla SSL Configuration Generator • Apache / Intermediate

    / HSTS Enabled • Cipher Suite • ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA- AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE- RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3- SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM- SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:DES-CBC3-SHA:!DSS

37. Qualys SSL Server Test

38. A+ήοτͩͥʂ

39. Conclusion • A+ ධՁΛಘΔͨΊʹ͸ϓϩτίϧ΍Cipher Suiteͷ ݟ௚͕͠ඞཁ • ࠓޙHTTP/2ߦ͘ͳΒTLS 1.2͕ཁ݅ʹͳ͍ͬͯΔ •

    ͋͘·Ͱ΋HTTPSαʔόͷSSL/TLSͷݕূ • Webαʔόࣗମͷ੬ऑੑ΍ɼXSSͱ͔ɼҰൠతͳη ΩϡϦςΟରࡦ͸ඞཁͰ͢ʢࠓճ͸লུ͍ͯ͠·͢ʣ

40. Conclusion • Let’s Encrypt • DVূ໌ॻͳͷͰݸਓϢʔε޲͚ͩΑͶ • 90೔Ͱͷߋ৽͕ඞཁͳͷͰͦͷ࡞ۀͷࣗಈ ԽΛ๨ΕΔͱࠔΔ •

    ΋ͪΖΜcronͰࣗಈԽʙ

41. ࢀߟจݙ • TLSపఈԋश • https://speakerdeck.com/shigeki/tlsche-di- yan-xi