Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SSL Deployment Best Practices

Jan Krutisch
February 12, 2014
Technology
0
310

SSL Deployment Best Practices

Short talk for Ruby Usergroup Hamburg 2014 about how to deploy SSL certificates while avoiding the most common pitfalls.

Jan Krutisch

February 12, 2014
Tweet

More Decks by Jan Krutisch

See All by Jan Krutisch
Decentralize ALL THE THINGS - Eurucamp 2014
halfbyte
3
160
Decentralise ALL THE THINGS
halfbyte
0
160
Railsgirls - Coaches dinner introduction
halfbyte
0
42
Metaphors are like knives. You can use them to cut yourself and if you throw rocks at them, they fall apart
halfbyte
0
1.5k
Livecoding Music and Graphics in the browser
halfbyte
0
170
Geeks and Music
halfbyte
0
110
JSON - Schmason
halfbyte
0
170
Parsing Binary Data
halfbyte
0
100
Javascript Audio APIs - Let's make some noise
halfbyte
0
130

Other Decks in Technology

See All in Technology
上流工程に挑戦!「俺の考えた最強サーバレス構成」が一瞬で敗北した件
kentosuzuki
2
140
続・変更に強いコンポーネント設計の方針と規約(Webフロントエンド)
sansantech
PRO
0
170
Jagu'e'r Tech Writers Meetup #1
yamahiro
0
160
私が経験したアジャイルテスト
culvert
3
500
電動マイクロモビリティのシェアサービス「LUUP」におけるEnabling SLOの実践
grimoh
1
340
【PIXIV MEETUP 2023】ピクシブのデータインフラと組織構造
kashira
1
290
コツコツととのえるLTの段取り/engineers_lt
nishiuma
4
290
Customer-Centricity Unleashed: Transforming Businesses with LINE Tech
linedevth
1
190
Deploy web frontend apps with AWS CDK
tmokmss
1
150
3 Flink Mistakes We Made So You Won’t Have To
rmetzger
0
110
Chat & Shop Like Never Before Unleash LINE SHOPPING API
linedevth
1
260
那些年我們做過的 DevOps Pipeline @ DevOpsDays Taipei 2023
cheng_wei_chen
1
120

Featured

See All Featured
Building Your Own Lightsaber
phodgson
97
5.2k
Done Done
chrislema
178
15k
Raft: Consensus for Rubyists
vanstee
130
5.9k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
A Tale of Four Properties
chriscoyier
150
21k
Adopting Sorbet at Scale
ufuk
66
8.1k
Teambox: Starting and Learning
jrom
125
8.1k
Robots, Beer and Maslow
schacon
154
7.6k
Documentation Writing (for coders)
carmenintech
55
3.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
Side Projects
sachag
450
39k
Become a Pro
speakerdeck
PRO
8
3.5k

Transcript

  1. SSL Deployment
    Best Practices
    Jan Krutisch
    Ruby Usergroup Hamburg
    https://jan.krutisch.de/
    PGP-Key: A3E52A33
    CF40 36B2 DBC8 83BA 29F1 3745 D400 34B1 A3E5 2A33

    View Slide

  2. SSL? TLS?

    View Slide

  3. Source: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:voip:tls_sips_rtps

    View Slide

  4. Certificates

    View Slide

  5. Free
    Not free
    Self signed
    CACert
    Commercial

    View Slide

  6. Self signed

    View Slide

  7. Security
    vs.
    Trust

    View Slide

  8. View Slide

  9. Let’s go shopping
    http://www.flickr.com/photos/prozla/4937459350/

    View Slide

  10. View Slide

  11. Deployment

    View Slide

  12. TL;DR version

    View Slide

  13. Apache

    View Slide

  14. SSLEngine on
    SSLCertificateFile /etc/ssl/private/cert.crt
    SSLCertificateKeyFile /etc/ssl/private/private_key.key
    !
    SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt

    View Slide

  15. Nginx

    View Slide

  16. ssl on;
    ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
    ssl_certificate_key /etc/ssl/private/private_key.key;

    View Slide

  17. Test!

    View Slide

  18. https://www.ssllabs.com/ssltest/

    View Slide

  19. https://www.ssllabs.com/ssltest/
    Dafuq?!?

    View Slide

  20. View Slide

  21. Common issues

    View Slide

  22. Common issues
    according to my story

    View Slide

  23. Cert Chain

    View Slide

  24. View Slide

  25. Cipher Suites

    View Slide

  26. RC4 vs. BEAST

    View Slide

  27. TLS compression
    (CRIME)

    View Slide

  28. BREACH?

    View Slide

  29. Forward Secrecy

    View Slide

  30. EDH vs. EECDH

    View Slide

  31. Ephemeral
    (Elliptic Curve)
    Diffie Hellman

    View Slide

  32. # Apache
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    !
    # Nginx
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
    EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

    View Slide

  33. View Slide

  34. Bam!

    View Slide

  35. Domains vs. IPs

    View Slide

  36. Server Name
    Indication

    View Slide

  37. View Slide

  38. View Slide