Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SSL Deployment Best Practices

Jan Krutisch
February 12, 2014
Technology
0
410

SSL Deployment Best Practices

Short talk for Ruby Usergroup Hamburg 2014 about how to deploy SSL certificates while avoiding the most common pitfalls.

Jan Krutisch

February 12, 2014
Tweet

More Decks by Jan Krutisch

See All by Jan Krutisch
Decentralize ALL THE THINGS - Eurucamp 2014
halfbyte
3
170
Decentralise ALL THE THINGS
halfbyte
0
170
Railsgirls - Coaches dinner introduction
halfbyte
0
60
Metaphors are like knives. You can use them to cut yourself and if you throw rocks at them, they fall apart
halfbyte
0
1.6k
Livecoding Music and Graphics in the browser
halfbyte
0
210
Geeks and Music
halfbyte
0
160
JSON - Schmason
halfbyte
0
220
Parsing Binary Data
halfbyte
0
150
Javascript Audio APIs - Let's make some noise
halfbyte
0
140

Other Decks in Technology

See All in Technology
DevIO2024_レガシー運用からの脱却 -クラウド活用の実践事例とベストプラクティス-
jun2882
0
210
20240725 LLMによるDXのビジョンと、今何からやるべきか @Azure OpenAI Service Dev Day
nrryuya
3
1.2k
CTOから見た事業開発とプロダクト開発 / My Perspective on Business and Product Development as CTO
keisuke69
4
960
Classmethod流のPlatform Engineering / classmethod-platform-engineering-devio2024
tomoki10
0
480
スレットハンティングについて知っておきたいこと
hacket
0
130
AOAI Dev Day LLMシステム開発 Tips集
hirosatogamo
16
3.9k
「我々はどこに向かっているのか」を問い続けるための仕組みづくり / Establishing a System for Continuous Inquiry about where we are
daitasu
0
170
ペパボのオブザーバビリティ研修2024 説明資料
kesompochy
0
1.1k
Github Actions 로 Android 팀의 효율성 극대화
hadonghyun
0
160
Git 研修 Basic【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
330
AIエージェントを現場に導入する目線とは
masahiro_nishimi
1
1.6k
ゆめみのアクセシビリティの現在地と今後
ryokatsuse
3
290

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
28
2.2k
Why Our Code Smells
bkeepers
PRO
332
56k
It's Worth the Effort
3n
181
27k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
Docker and Python
trallard
37
2.9k
Automating Front-end Workflow
addyosmani
1362
200k
Side Projects
sachag
451
42k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.9k
[RailsConf 2023] Rails as a piece of cake
palkan
35
4.4k
YesSQL, Process and Tooling at Scale
rocio
166
14k
Principles of Awesome APIs and How to Build Them.
keavy
124
16k
Optimizing for Happiness
mojombo
373
69k

Transcript

  1. SSL Deployment Best Practices Jan Krutisch Ruby Usergroup Hamburg https://jan.krutisch.de/

    PGP-Key: A3E52A33 CF40 36B2 DBC8 83BA 29F1 3745 D400 34B1 A3E5 2A33

  2. SSL? TLS?

  3. Source: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:voip:tls_sips_rtps

  4. Certificates

  5. Free Not free Self signed CACert Commercial

  6. Self signed

  7. Security vs. Trust

  8. None

  9. Let’s go shopping http://www.flickr.com/photos/prozla/4937459350/

  10. None

  11. Deployment

  12. TL;DR version

  13. Apache

  14. SSLEngine on SSLCertificateFile /etc/ssl/private/cert.crt SSLCertificateKeyFile /etc/ssl/private/private_key.key ! SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt

  15. Nginx

  16. ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/private_key.key;

  17. Test!

  18. https://www.ssllabs.com/ssltest/

  19. https://www.ssllabs.com/ssltest/ Dafuq?!?

  20. None

  21. Common issues

  22. Common issues according to my story

  23. Cert Chain

  24. None

  25. Cipher Suites

  26. RC4 vs. BEAST

  27. TLS compression (CRIME)

  28. BREACH?

  29. Forward Secrecy

  30. EDH vs. EECDH

  31. Ephemeral (Elliptic Curve) Diffie Hellman

  32. # Apache SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM

    EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ! # Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
  33. None

  34. Bam!

  35. Domains vs. IPs

  36. Server Name Indication

  37. None
  38. None