$30 off During Our Annual Pro Sale. View Details »

SSL All The Things (DjangoCon US 2016)

SSL All The Things (DjangoCon US 2016)

My talk from DjangoCon US 2016.

Speaker notes / blog post: https://markusholtermann.eu/2016/07/ssl-all-the-things/

Markus H

July 18, 2016
Tweet

More Decks by Markus H

Other Decks in Technology

Transcript

  1. SSL All The Things
    Django and SSL

    View Slide

  2. Markus
    Holtermann
    Senior Software Engineer at LaterPay
    Django Core Developer
    @m_holtermann • github.com/MarkusH • markusholtermann.eu

    View Slide

  3. EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT
    USE NOW, PAY LATER.
    @laterpay • github.com/laterpay • laterpay.net
    W
    e
    are
    hiring

    View Slide

  4. View Slide

  5. Disclaimer

    View Slide

  6. What is SSL / TLS?

    View Slide

  7. Webserver configuration

    View Slide

  8. Apache 2 / httpd

    ServerName example.com
    SSLEngine on
    # Details at https://cipherli.st/
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLProtocol all -SSLv3
    SSLCertificateFile /etc/nginx/ssl/example.com.crt
    SSLCertificateKeyFile /etc/nginx/ssl/example.com.key
    SSLOpenSSLConfCmd DHParameters "/etc/nginx/ssl/example.com.dh"

    View Slide

  9. host {
    listen [::]:443 ssl;
    server_name example.com;
    # Details at https://cipherli.st/
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_dhparam /etc/nginx/ssl/example.com.dh;
    }
    Nginx

    View Slide

  10. What is Let’s Encrypt ?

    View Slide

  11. Trust Store
    Intermediate
    CA 1
    Intermediate
    CA 2
    Root CA 1 Root CA 2
    Intermediate
    CA 3
    Certs Certs Certs
    Root CA 3

    View Slide

  12. What is Let’s Encrypt ?

    View Slide

  13. The ACME
    Process
    Account Key
    Certificate Key
    Certificate Signing Request

    View Slide

  14. The ACME
    Process
    new-authz
    Challenges
    Certificate Signing Request
    new-cert
    Certificate
    Retrieve Certificate
    Write Challenges
    Check
    challenge
    new-reg
    Public Account Key
    Account Key
    Certificate Key
    Certificate Signing Request

    View Slide

  15. Apache 2 / httpd

    ServerName example.com
    Redirect / https://example.com/
    Alias "/.well-known/acme-challenge/" "/srv/http/acme-challenges/"

    AllowOverride None
    Options None
    Require all granted


    View Slide

  16. host {
    listen [::]:80;
    server_name example.com;
    location /.well-known/acme-challenge/ {
    alias /srv/http/acme-challenges/;
    try_files $uri =404;
    }
    location / {
    return 301 https://example.com$request_uri;
    }
    }
    Nginx

    View Slide

  17. How to use Let’s Encrypt ?

    View Slide

  18. python3 /etc/acme-tiny/acme-tiny.py \
    --account-key "/etc/acme-tiny/account.key" \
    --csr "/etc/acme-tiny/example.com.csr" \
    --acme-dir "/srv/www/acme-challenges" \
    --output "/etc/nginx/ssl/example.com.crt" \
    --combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
    Using Let’s Encrypt

    View Slide

  19. Adjusting Django
    ● Use “secure” cookies — Set CSRF_COOKIE_SECURE and
    SESSION_COOKIE_SECURE to True
    import os
    CSRF_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’
    SESSION_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’
    ● https://docs.djangoproject.com/en/dev/topics/security/

    View Slide

  20. What I didn’t cover ...
    … but want to mention

    View Slide

  21. Certificate Revocation

    View Slide

  22. Changing the Account Key

    View Slide

  23. HSTS
    HTTP Strict Transport Security

    View Slide

  24. HPKP
    HTTP Public Key Pinning

    View Slide

  25. Usage for other services

    View Slide

  26. Things that could go wrong
    An incomplete list

    View Slide

  27. HSTS / HPKP

    View Slide

  28. Leaked Keys

    View Slide

  29. Resource Usage

    View Slide

  30. Sources
    ● https://cipherli.st/
    ● https://www.ssllabs.com/ssltest/index.html
    ● https://hynek.me/talks/tls/
    ● https://ssldecoder.org/
    ● https://securityheaders.io/
    ● https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md
    ● https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

    View Slide

  31. Thanks
    @m_holtermann • github.com/MarkusH • markusholtermann.eu • laterpay.net
    Questions?

    View Slide