SSL All The Things (DjangoCon US 2016)

SSL All The Things (DjangoCon US 2016)

My talk from DjangoCon US 2016.

Speaker notes / blog post: https://markusholtermann.eu/2016/07/ssl-all-the-things/

Cd7648c536b4dbe940246b74044fbc52?s=128

Markus H

July 18, 2016
Tweet

Transcript

  1. 2.

    Markus Holtermann Senior Software Engineer at LaterPay Django Core Developer

    @m_holtermann • github.com/MarkusH • markusholtermann.eu
  2. 3.

    EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT USE NOW, PAY LATER.

    @laterpay • github.com/laterpay • laterpay.net W e are hiring
  3. 4.
  4. 8.

    Apache 2 / httpd <VirtualHost *:443> ServerName example.com SSLEngine on

    # Details at https://cipherli.st/ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLCertificateFile /etc/nginx/ssl/example.com.crt SSLCertificateKeyFile /etc/nginx/ssl/example.com.key SSLOpenSSLConfCmd DHParameters "/etc/nginx/ssl/example.com.dh" </VirtualHost>
  5. 9.

    host { listen [::]:443 ssl; server_name example.com; # Details at

    https://cipherli.st/ ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_dhparam /etc/nginx/ssl/example.com.dh; } Nginx
  6. 11.

    Trust Store Intermediate CA 1 Intermediate CA 2 Root CA

    1 Root CA 2 Intermediate CA 3 Certs Certs Certs Root CA 3
  7. 14.

    The ACME Process new-authz Challenges Certificate Signing Request new-cert Certificate

    Retrieve Certificate Write Challenges Check challenge new-reg Public Account Key Account Key Certificate Key Certificate Signing Request
  8. 15.

    Apache 2 / httpd <VirtualHost *:80> ServerName example.com Redirect /

    https://example.com/ Alias "/.well-known/acme-challenge/" "/srv/http/acme-challenges/" <Directory "/srv/http/acme-challenges"> AllowOverride None Options None Require all granted </Directory> </VirtualHost>
  9. 16.

    host { listen [::]:80; server_name example.com; location /.well-known/acme-challenge/ { alias

    /srv/http/acme-challenges/; try_files $uri =404; } location / { return 301 https://example.com$request_uri; } } Nginx
  10. 18.

    python3 /etc/acme-tiny/acme-tiny.py \ --account-key "/etc/acme-tiny/account.key" \ --csr "/etc/acme-tiny/example.com.csr" \ --acme-dir

    "/srv/www/acme-challenges" \ --output "/etc/nginx/ssl/example.com.crt" \ --combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem" Using Let’s Encrypt
  11. 19.

    Adjusting Django • Use “secure” cookies — Set CSRF_COOKIE_SECURE and

    SESSION_COOKIE_SECURE to True import os CSRF_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ SESSION_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ • https://docs.djangoproject.com/en/dev/topics/security/
  12. 30.

    Sources • https://cipherli.st/ • https://www.ssllabs.com/ssltest/index.html • https://hynek.me/talks/tls/ • https://ssldecoder.org/ •

    https://securityheaders.io/ • https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md • https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html