Let's Encrypt 証明書を使ってみよう！（4D Summit 2020より）

Transcript

1. Let’s Encrypt 'D%hY[cePM by Bruno Legay Let’s Encrypt® certificates with

   4D https://www.ac-consulting.fr

2. _acZ  .1ੈلF}N|N
   tmoL £oLsq{¤

3. _acZ  1553F¨l~p¤
   ’¥N€LŠL¨l~Ÿ¤  1923FqŒx™
   k¤‰nN¤L}p¤o  1940F—›
   k¢§L„ŸN£§x

4. _acZ  1976F–m…‰‘lN¤ŠLˆl‘lN
   ™N‡l§L”¤™§  1977F¦‹¤ŠL£•‰
   kˆlL}žšk
   ¥r‹¤ŠLqNˆ¤™§  1985F‚”¤Lq¤t™¤

5. 1)uŸ£‡l  1994FSSL 1.0 Netscape Navigator (deprecated)  1995FSSL 2.0

   (2011೥ deprecated)  1996FSSL 3.0 (2015೥ deprecated)

6. 1)uŸ£‡l  1999FTLS 1.0 (2020೥ deprecation ༧ఆ)  2006FTLS 1.1

   (2020೥ deprecation ༧ఆ)  2007FTLS 1.2  2018FTLS 1.3

7. httpsQ<F]GE  †gtG
    ,*
    (C

8. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences ෮߸ ҉߸ 9BK 9BK 4Vsv = 01010 10111 001010101

   111100100 001011010 101100101 >= 8!
   J^c\
   JMKW
   eghjl >= 8!
   J^c\
   JMKW
   eghjl /&A! k£ —’

9. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences ෮߸ ҉߸ K 9BK Psv :/&A! k£ —’ =

   01010 10111 001010101 111100100 001011010 101100101 >= 8!
   J^c\
   JMKW
   eghjl >= 8!
   J^c\
   JMKW
   eghjl

10. TLSŽ§Š}pmw w¢mk§‰ {NN K 1) Ti^X` Ti^X`L'D%LK KL{m‘jN2L#;\RW {m‘jN2L#;\RW ClientHello

    ServerHello ServerCertificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished

11. <F]d_  m§‚N…‰M`epwvUNaWebsGG
     ‚…‘zpIPe}“v  HDNS“uv|XI5D]YŠœm§C  ˆG|;
    80 L_[
    443

    blG†–QTKaPV
     „dgeGhkG’ENAT -3 NAT: Network Address Translation

12. 'D%Q8Ugfb\ K 9BK 'D%$CF X.509 'D% K {’~pw‰(@ ೝূہ αʔόʔ

    3. ఏग़ 4. ൃߦ 1. ੜ੒ 2. ੜ੒ 5. ճऩ

13. 6' https://curl.haxx.se/ca/cacert.pem

14. 'D%_‚m“  %?'@&
     DV
    
    }‹g–'@
     OV
    
    '@
     EV

    - ֦ு '@ https://security.stackexchange.com/questions/13453/are-all-ssl-certificates-equal OV: Organisation Validated EV: Extended Validated DV: Domain Validated

15.  ‡GtzpW'@&HŠœm§CI
    •g’}mG}'@&
     s…uip|>?'@&HSANI www.example.com *.example.com www.example.com www.example.jp example.com

    api.example.com 'D%_‚m“ SAN: Subject Alternative Name
16. None
17. None
18. None
19. None
20. None
21. None
22. None
23. None
24. None
25. None

26. ,H  "9F4†”–{fe1,
    Mozilla,
    Štn–/
     +FCisco,
    Akamai
  p”v%?FIdenTrust

27. ˜§{N

28. https://letsencrypt.org/ja/stats/ 3

29. https://letsencrypt.org/ja/stats/ 3

30. https://letsencrypt.org/ja/stats/ 3

31. https://letsencrypt.org/2020/02/27/one-billion-certs.html

32. https://certbot.eff.org https://letsencrypt.org/ja/docs/client-options/  certbot
    r‰–}g–g–x„iGvHpythonI
    
     .Y†”qŠ–q !†N¤

33. https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment N~¡§ • ACME v1  20167
    4
    ££N
     deprecated
    20207
    6
    {˜N‰"I

34. https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment N~¡§ • ACME v1  20167
    4
    ££N
     deprecated
    20207
    6
    {˜N‰"I •

    ACME v2  20187
    3
    ££N

35. „ž¥§~_‚m“ https://letsencrypt.org/ja/docs/challenge-types/ • HTTP-01 • DNS-01 {NN^*5 6'(@h0 yN›rNN •

    TLS-SNI-01 (disabled) • TLS-ALPN-01 SNI: Sever Name Indication ALPN: Application Level Protocol Negotiation

36. HTTP-01 HTTP GET /.well-known/acme-challenge/<token> https://letsencrypt.org/ja/docs/challenge-types/

37. 8\Rfd_  DV '@&
     SAN '@&
     B 
    90

    6 DV: Domain Validation SAN: Subject Alternative Name

38. hZS[M  ¥N‰+
     ‡N~§x U{v|Sa
    
     ˆG|80b=RTZKOWK https://letsencrypt.org/ja/docs/rate-limits/

    https://letsencrypt.org/ja/docs/staging-environment/ “¦ƒw}¡§ ‡N~§x https://acme-v02.api.letsencrypt.org/directory https://acme-staging-v02.api.letsencrypt.org/directory

39. £N“¦u}

40. Kubernetes (K8) Docker z§‡‹

41. ACMEz§˜N§‰  ACME v1 †”|r’
     Tim Penner
    {pm’€G|H20167I https://kb.4d.com/assetid=77671 https://www.youtube.com/watch?v=8CxPWHc4NI8

42. ACMEz§˜N§‰  ACME v2 †”|r’
     $:Z4D v15U9H20187I
     ):Z4D

    v18†”uip|ŒG}U
     OpenSSL 1.0.2oH201873 Ig~‘ „dg’<N
     HTTP-01y“–u
     SAN'@&sˆG|

43. ˆ§‰¥N}¡§

44. {m‘j£‰ C_TEXT($ciphers) $ciphers:=\ "ECDHE-RSA-AES128-GCM-SHA256:"+\ "ECDHE-RSA-AES256-GCM-SHA384:"+\ "ECDHE-RSA-CHACHA20-POLY1305:"+\ "DHE-RSA-AES128-GCM-SHA256:"+\ "DHE-RSA-AES256-GCM-SHA384" SET DATABASE

    PARAMETER(SSL cipher list;$ciphers) • 4D v12 ஫هɿઃఆ͸ΫϥΠΞϯτ/αʔόʔ௨৴ͷ҉߸Խʹ΋Өڹ͢Δ

45. uŸ£‡l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v16 R6 • RC4 disabled •

    PFS enabled • DH or ECDH • "dhparams.pem" DH: Diffie Hellman ECDH: Elliptic Curve Diffie Hellman PFS: Perfect Forward Secrecy RC4: Rivest Cypher 4

46. uŸ£‡l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v17 • HSTS option HSTS: HTTP

    Strict Transport Security // ϒϥ΢βʹHTTPSݶఆΞΫηεΛཁٻ͢Δظݶ WEB SET OPTION(Web HSTS max age;31536000) //365೔ // 4D Web serverͷHSTSΛ༗ޮʹ WEB SET OPTION(Web HSTS enabled;1) // 4D Web serverͷHTTPΛ༗ޮʹ WEB SET OPTION(Web HTTP enabled;1) // 4D Web serverͷHTTPSΛ༗ޮʹ WEB SET OPTION(Web HTTPS enabled;1)

47. uŸ£‡l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v17 • HSTS option HSTS: HTTP

    Strict Transport Security curl -I https://www.example.com HTTP/1.1 200 OK Accept-Ranges: bytes Connection: keep-alive Content-Length: 3322 Content-Type: text/html Date: Sat, 23 May 2020 07:30:54 GMT Last-Modified: Sat, 18 Apr 2020 08:53:28 GMT Server: 4D/17.6.0 Strict-Transport-Security: max-age=31536000; includeSubDomains

48. {NN(@ • 4D v16 R6 • WEB Get server info

    { "started": false, "uptime": 0, "httpRequestCount": 0, "startMode": "manual", "SOAPServerStarted": false, "security": { "HTTPEnabled": false, "HTTPSEnabled": false, "openSSLVersion": "OpenSSL 1.1.1d 10 Sep 2019", "cipherSuite": "TLS_AES_256_GCM_SHA384:..:CAMELLIA128-SHA", "minTLSVersion": "1.2", "perfectForwardSecrecy": false, "HSTSEnabled": false, "HSTSMaxAge": 63072000 }, "options": {...

49. DNS: Domain Name Server CAA: Certification Authority Authorisation • DNS

    CAA dig caa www.example.com www.example.com. IN CAA 0 issue "amazon.com" www.example.com. IN CAA 0 issue "amazonaws.com" www.example.com. IN CAA 0 issue "amazontrust.com" www.example.com. IN CAA 0 issue "awstrust.com" www.example.com. IN CAA 0 issue "letsencrypt.org" www.example.com. IN CAA 0 issuewild "letsencrypt.org" {NN'D%86'2

50. z§‡§†_O  HTTP”…ƒNb2Sa
     -/URLbHTMLX #QWK
     "https everywhere"jpv{–t–bCSa https://www.eff.org/https-everywhere

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy: upgrade-insecure-request <script src="//example.com/scripts.code.js"></scripts>

51. ˆ§‰¥N}¡§

52. uŸ£‡l_„p…w  SSL/TLSY-3b'QT<OSasGƒv
     {NNYwoŽ‘{fZ>A0

53. N~¡§?zk 4D ɹvre -3 12.6 F SSL 2.0, 3.0, TLS

    1.0 with DES, RC4 13.6 F TLS 1.0, 1.1, 1.2 with DES, RC4 14.5 B TLS 1.0, 1.1, 1.2 with RC4 15.6 B TLS 1.0, 1.1, 1.2 with RC4 16.6 B TLS 1.0, 1.1, 1.2 with RC4 17.4 A or A+ TLS 1.2 PFS HSTS 18.0 A or A+ TLS 1.2 PFS HSTS

54. • Let's Encrypt • Mozilla • SSL and TLS Deployment

    Best Practices https://letsencrypt.org https://wiki.mozilla.org/Security/Server_Side_TLS https://ssl-config.mozilla.org https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ https://www.feistyduck.com/library/openssl-cookbook/  J

55. • An Introduction to Let's Encrypt by April King from

    Mozilla • Let's Encrypt: A Free, Automated and Open Certificate Authority by Josh Aas https://www.youtube.com/watch?v=ksqTu7TX83g https://www.youtube.com/watch?v=W_OBpJmrKOc  J

56. • Encrypt the Web For $0 by Yan Zhu •

    Let's Encrypt: Minting Free Certs to Encrypt the Entire Web by Yan Zhu https://www.youtube.com/watch?v=n9Fe68xgKUw https://www.youtube.com/watch?v=Ya6t8nMclos  J