Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コピペでQualys SSL Server Test A+ ゲットだぜ!

atpons
September 25, 2016

コピペでQualys SSL Server Test A+ ゲットだぜ!

設定の見直し

atpons

September 25, 2016
Tweet

More Decks by atpons

Other Decks in Programming

Transcript

  1. - Ubuntu 16.04.1 LTS - Apache/2.4.18 (Ubuntu) - $ sudo

    letsencrypt —-apache ࡁ ˎˎˎˎˎˎˎˎˎˎ on DigitalOcean
  2. Cipher Suite ʹԿΛબͿ 5-4పఈԋश4QFBLFS%FDLIUUQTTQFBLFSEFDLDPNTIJHFLJUMTDIFEJZBOYJΑΓҾ༻ ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE4FDSFDZ %)& &$%)&

    σδλϧॺ໊ 34" %44 %4" &$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ Cipher Suite
  3. Demo • Mozilla SSL Configuration Generator • Apache / Intermediate

    / HSTS Enabled • Cipher Suite • ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA- AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE- RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3- SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM- SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  4. Conclusion • A+ ධՁΛಘΔͨΊʹ͸ϓϩτίϧ΍Cipher Suiteͷ ݟ௚͕͠ඞཁ • ࠓޙHTTP/2ߦ͘ͳΒTLS 1.2͕ཁ݅ʹͳ͍ͬͯΔ •

    ͋͘·Ͱ΋HTTPSαʔόͷSSL/TLSͷݕূ • Webαʔόࣗମͷ੬ऑੑ΍ɼXSSͱ͔ɼҰൠతͳη ΩϡϦςΟରࡦ͸ඞཁͰ͢ʢࠓճ͸লུ͍ͯ͠·͢ʣ