SSL All The Things (DjangoCon US 2016)

Transcript

1. SSL All The Things Django and SSL

2. Markus Holtermann Senior Software Engineer at LaterPay Django Core Developer

   @m_holtermann • github.com/MarkusH • markusholtermann.eu

3. EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT USE NOW, PAY LATER.

   @laterpay • github.com/laterpay • laterpay.net W e are hiring
4. None

5. Disclaimer

6. What is SSL / TLS?

7. Webserver configuration

8. Apache 2 / httpd <VirtualHost *:443> ServerName example.com SSLEngine on

   # Details at https://cipherli.st/ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLCertificateFile /etc/nginx/ssl/example.com.crt SSLCertificateKeyFile /etc/nginx/ssl/example.com.key SSLOpenSSLConfCmd DHParameters "/etc/nginx/ssl/example.com.dh" </VirtualHost>

9. host { listen [::]:443 ssl; server_name example.com; # Details at

   https://cipherli.st/ ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_dhparam /etc/nginx/ssl/example.com.dh; } Nginx

10. What is Let’s Encrypt ?

11. Trust Store Intermediate CA 1 Intermediate CA 2 Root CA

    1 Root CA 2 Intermediate CA 3 Certs Certs Certs Root CA 3

12. What is Let’s Encrypt ?

13. The ACME Process Account Key Certificate Key Certificate Signing Request

14. The ACME Process new-authz Challenges Certificate Signing Request new-cert Certificate

    Retrieve Certificate Write Challenges Check challenge new-reg Public Account Key Account Key Certificate Key Certificate Signing Request

15. Apache 2 / httpd <VirtualHost *:80> ServerName example.com Redirect /

    https://example.com/ Alias "/.well-known/acme-challenge/" "/srv/http/acme-challenges/" <Directory "/srv/http/acme-challenges"> AllowOverride None Options None Require all granted </Directory> </VirtualHost>

16. host { listen [::]:80; server_name example.com; location /.well-known/acme-challenge/ { alias

    /srv/http/acme-challenges/; try_files $uri =404; } location / { return 301 https://example.com$request_uri; } } Nginx

17. How to use Let’s Encrypt ?

18. python3 /etc/acme-tiny/acme-tiny.py \ --account-key "/etc/acme-tiny/account.key" \ --csr "/etc/acme-tiny/example.com.csr" \ --acme-dir

    "/srv/www/acme-challenges" \ --output "/etc/nginx/ssl/example.com.crt" \ --combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem" Using Let’s Encrypt

19. Adjusting Django • Use “secure” cookies — Set CSRF_COOKIE_SECURE and

    SESSION_COOKIE_SECURE to True import os CSRF_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ SESSION_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ • https://docs.djangoproject.com/en/dev/topics/security/

20. What I didn’t cover ... … but want to mention

21. Certificate Revocation

22. Changing the Account Key

23. HSTS HTTP Strict Transport Security

24. HPKP HTTP Public Key Pinning

25. Usage for other services

26. Things that could go wrong An incomplete list

27. HSTS / HPKP

28. Leaked Keys

29. Resource Usage

30. Sources • https://cipherli.st/ • https://www.ssllabs.com/ssltest/index.html • https://hynek.me/talks/tls/ • https://ssldecoder.org/ •

    https://securityheaders.io/ • https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md • https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

31. Thanks @m_holtermann • github.com/MarkusH • markusholtermann.eu • laterpay.net Questions?