SSL All The Things (DjangoCon US 2016)

SSL All The Things (DjangoCon US 2016)

My talk from DjangoCon US 2016.

Speaker notes / blog post: https://markusholtermann.eu/2016/07/ssl-all-the-things/

Cd7648c536b4dbe940246b74044fbc52?s=128

Markus H

July 18, 2016
Tweet

Transcript

  1. SSL All The Things Django and SSL

  2. Markus Holtermann Senior Software Engineer at LaterPay Django Core Developer

    @m_holtermann • github.com/MarkusH • markusholtermann.eu
  3. EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT USE NOW, PAY LATER.

    @laterpay • github.com/laterpay • laterpay.net W e are hiring
  4. None
  5. Disclaimer

  6. What is SSL / TLS?

  7. Webserver configuration

  8. Apache 2 / httpd <VirtualHost *:443> ServerName example.com SSLEngine on

    # Details at https://cipherli.st/ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLCertificateFile /etc/nginx/ssl/example.com.crt SSLCertificateKeyFile /etc/nginx/ssl/example.com.key SSLOpenSSLConfCmd DHParameters "/etc/nginx/ssl/example.com.dh" </VirtualHost>
  9. host { listen [::]:443 ssl; server_name example.com; # Details at

    https://cipherli.st/ ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_dhparam /etc/nginx/ssl/example.com.dh; } Nginx
  10. What is Let’s Encrypt ?

  11. Trust Store Intermediate CA 1 Intermediate CA 2 Root CA

    1 Root CA 2 Intermediate CA 3 Certs Certs Certs Root CA 3
  12. What is Let’s Encrypt ?

  13. The ACME Process Account Key Certificate Key Certificate Signing Request

  14. The ACME Process new-authz Challenges Certificate Signing Request new-cert Certificate

    Retrieve Certificate Write Challenges Check challenge new-reg Public Account Key Account Key Certificate Key Certificate Signing Request
  15. Apache 2 / httpd <VirtualHost *:80> ServerName example.com Redirect /

    https://example.com/ Alias "/.well-known/acme-challenge/" "/srv/http/acme-challenges/" <Directory "/srv/http/acme-challenges"> AllowOverride None Options None Require all granted </Directory> </VirtualHost>
  16. host { listen [::]:80; server_name example.com; location /.well-known/acme-challenge/ { alias

    /srv/http/acme-challenges/; try_files $uri =404; } location / { return 301 https://example.com$request_uri; } } Nginx
  17. How to use Let’s Encrypt ?

  18. python3 /etc/acme-tiny/acme-tiny.py \ --account-key "/etc/acme-tiny/account.key" \ --csr "/etc/acme-tiny/example.com.csr" \ --acme-dir

    "/srv/www/acme-challenges" \ --output "/etc/nginx/ssl/example.com.crt" \ --combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem" Using Let’s Encrypt
  19. Adjusting Django • Use “secure” cookies — Set CSRF_COOKIE_SECURE and

    SESSION_COOKIE_SECURE to True import os CSRF_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ SESSION_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ • https://docs.djangoproject.com/en/dev/topics/security/
  20. What I didn’t cover ... … but want to mention

  21. Certificate Revocation

  22. Changing the Account Key

  23. HSTS HTTP Strict Transport Security

  24. HPKP HTTP Public Key Pinning

  25. Usage for other services

  26. Things that could go wrong An incomplete list

  27. HSTS / HPKP

  28. Leaked Keys

  29. Resource Usage

  30. Sources • https://cipherli.st/ • https://www.ssllabs.com/ssltest/index.html • https://hynek.me/talks/tls/ • https://ssldecoder.org/ •

    https://securityheaders.io/ • https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md • https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
  31. Thanks @m_holtermann • github.com/MarkusH • markusholtermann.eu • laterpay.net Questions?