SSL All The Things (DjangoCon US 2016)

SSL All The Things
Django and SSL

View Slide

Markus
Holtermann
Senior Software Engineer at LaterPay
Django Core Developer
@m_holtermann • github.com/MarkusH • markusholtermann.eu

View Slide

EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT
USE NOW, PAY LATER.
@laterpay • github.com/laterpay • laterpay.net
W
e
are
hiring

View Slide

View Slide

Disclaimer

View Slide

What is SSL / TLS?

View Slide

Webserver configuration

View Slide

Apache 2 / httpd

ServerName example.com
SSLEngine on
# Details at https://cipherli.st/
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLCertificateFile /etc/nginx/ssl/example.com.crt
SSLCertificateKeyFile /etc/nginx/ssl/example.com.key
SSLOpenSSLConfCmd DHParameters "/etc/nginx/ssl/example.com.dh"

View Slide

host {
listen [::]:443 ssl;
server_name example.com;
# Details at https://cipherli.st/
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_dhparam /etc/nginx/ssl/example.com.dh;
}
Nginx

View Slide

What is Let’s Encrypt ?

View Slide

Trust Store
Intermediate
CA 1
Intermediate
CA 2
Root CA 1 Root CA 2
Intermediate
CA 3
Certs Certs Certs
Root CA 3

View Slide

What is Let’s Encrypt ?

View Slide

The ACME
Process
Account Key
Certificate Key
Certificate Signing Request

View Slide

The ACME
Process
new-authz
Challenges
new-cert
Certificate
Retrieve Certificate
Write Challenges
Check
challenge
new-reg
Public Account Key
Account Key
Certificate Key

View Slide

Apache 2 / httpd

ServerName example.com
Redirect / https://example.com/
Alias "/.well-known/acme-challenge/" "/srv/http/acme-challenges/"

AllowOverride None
Options None
Require all granted

View Slide

host {
listen [::]:80;
server_name example.com;
location /.well-known/acme-challenge/ {
alias /srv/http/acme-challenges/;
try_files $uri =404;
}
location / {
return 301 https://example.com$request_uri;
}
}
Nginx

View Slide

How to use Let’s Encrypt ?

View Slide

python3 /etc/acme-tiny/acme-tiny.py \
--account-key "/etc/acme-tiny/account.key" \
--csr "/etc/acme-tiny/example.com.csr" \
--acme-dir "/srv/www/acme-challenges" \
--output "/etc/nginx/ssl/example.com.crt" \
--combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
Using Let’s Encrypt

View Slide

Adjusting Django
● Use “secure” cookies — Set CSRF_COOKIE_SECURE and
SESSION_COOKIE_SECURE to True
import os
CSRF_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’
SESSION_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’
● https://docs.djangoproject.com/en/dev/topics/security/

View Slide

What I didn’t cover ...
… but want to mention

View Slide

Certificate Revocation

View Slide

Changing the Account Key

View Slide

HSTS
HTTP Strict Transport Security

View Slide

HPKP
HTTP Public Key Pinning

View Slide

Usage for other services

View Slide

Things that could go wrong
An incomplete list

View Slide

HSTS / HPKP

View Slide

Leaked Keys

View Slide

Resource Usage

View Slide

Sources
● https://cipherli.st/
● https://www.ssllabs.com/ssltest/index.html
● https://hynek.me/talks/tls/
● https://ssldecoder.org/
● https://securityheaders.io/
● https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md
● https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

View Slide

Thanks
@m_holtermann • github.com/MarkusH • markusholtermann.eu • laterpay.net
Questions?

View Slide

SSL All The Things (DjangoCon US 2016)

SSL All The Things (DjangoCon US 2016)

Markus H

More Decks by Markus H

Other Decks in Technology

Featured

Transcript