SSL Deployment Best Practices

SSL Deployment Best Practices

Short talk for Ruby Usergroup Hamburg 2014 about how to deploy SSL certificates while avoiding the most common pitfalls.

B5b39c8f21b5bb1ab97852ed32c888ab?s=128

Jan Krutisch

February 12, 2014
Tweet

Transcript

  1. SSL Deployment Best Practices Jan Krutisch Ruby Usergroup Hamburg https://jan.krutisch.de/

    PGP-Key: A3E52A33 CF40 36B2 DBC8 83BA 29F1 3745 D400 34B1 A3E5 2A33
  2. SSL? TLS?

  3. Source: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:voip:tls_sips_rtps

  4. Certificates

  5. Free Not free Self signed CACert Commercial

  6. Self signed

  7. Security vs. Trust

  8. None
  9. Let’s go shopping http://www.flickr.com/photos/prozla/4937459350/

  10. None
  11. Deployment

  12. TL;DR version

  13. Apache

  14. SSLEngine on SSLCertificateFile /etc/ssl/private/cert.crt SSLCertificateKeyFile /etc/ssl/private/private_key.key ! SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt

  15. Nginx

  16. ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/private_key.key;

  17. Test!

  18. https://www.ssllabs.com/ssltest/

  19. https://www.ssllabs.com/ssltest/ Dafuq?!?

  20. None
  21. Common issues

  22. Common issues according to my story

  23. Cert Chain

  24. None
  25. Cipher Suites

  26. RC4 vs. BEAST

  27. TLS compression (CRIME)

  28. BREACH?

  29. Forward Secrecy

  30. EDH vs. EECDH

  31. Ephemeral (Elliptic Curve) Diffie Hellman

  32. # Apache SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM

    EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ! # Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
  33. None
  34. Bam!

  35. Domains vs. IPs

  36. Server Name Indication

  37. None
  38. None