Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's Encrypt 証明書を使ってみよう!(4D Summit 2020より)

4D Japan
June 01, 2020
Programming
0
26

Let's Encrypt 証明書を使ってみよう!(4D Summit 2020より)

4D Japan

June 01, 2020
Tweet

More Decks by 4D Japan

See All by 4D Japan
4D DevCon 2024
miyako
0
38
同期と複製 (2012)
miyako
0
26
最適化 (2012)
miyako
0
36
アップグレードの近道 (2012)
miyako
0
36
4D v11 SQL in Depth (2010)
miyako
0
33
New in v20 Part 4
miyako
0
51
New in v20 Part 3
miyako
0
50
New in v20 Part 2
miyako
0
57
ビジネスウェブアプリケーション (2012)
miyako
0
42

Other Decks in Programming

See All in Programming
Ruby Pattern Matching
bkuhlmann
0
930
使ってみよう Azure AI Document Intelligence
kosmosebi
2
300
SIMD Parallel Programming with the Vector API
josepaumard
0
160
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
今、知っておきたい! 生成AIエージェントの世界
elith
3
350
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
920
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
960
2 週間で Twitter Bot を作ってみた
contour_gara
0
340
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
200
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
920
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
270

Featured

See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Raft: Consensus for Rubyists
vanstee
132
6.3k
Typedesign – Prime Four
hannesfritz
36
2.1k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Visualization
eitanlees
136
14k
Gamification - CAS2011
davidbonilla
76
4.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
The Pragmatic Product Professional
lauravandoore
25
5.8k
Making the Leap to Tech Lead
cromwellryan
124
8.5k
Facilitating Awesome Meetings
lara
42
5.6k

Transcript

  1. Let’s Encrypt 'D%hY[cePM by Bruno Legay Let’s Encrypt® certificates with

    4D https://www.ac-consulting.fr

  2. _acZ  .1ੈلF}N|NtmoL £oLsq{¤

  3. _acZ  1553F¨l~p¤’¥N€LŠL¨l~Ÿ¤  1923FqŒx™ k¤‰nN¤L}p¤o  1940F—›k¢§L„ŸN£§x

  4. _acZ  1976F–m…‰‘lN¤ŠLˆl‘lN™N‡l§L”¤™§  1977F¦‹¤ŠL£•‰kˆlL}žšk¥r‹¤ŠLqNˆ¤™§  1985F‚”¤Lq¤t™¤

  5. 1)uŸ£‡l  1994FSSL 1.0 Netscape Navigator (deprecated)  1995FSSL 2.0

    (2011೥ deprecated)  1996FSSL 3.0 (2015೥ deprecated)

  6. 1)uŸ£‡l  1999FTLS 1.0 (2020೥ deprecation ༧ఆ)  2006FTLS 1.1

    (2020೥ deprecation ༧ఆ)  2007FTLS 1.2  2018FTLS 1.3

  7. httpsQ<F]GE  †gtG  ,*  (C

  8. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences ෮߸ ҉߸ 9BK 9BK 4Vsv = 01010 10111 001010101

    111100100 001011010 101100101 >= 8! J^c\ JMKW eghjl >= 8! J^c\ JMKW eghjl /&A! k£ —’

  9. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences ෮߸ ҉߸ K 9BK Psv :/&A! k£ —’ =

    01010 10111 001010101 111100100 001011010 101100101 >= 8! J^c\ JMKW eghjl >= 8! J^c\ JMKW eghjl

  10. TLSŽ§Š}pmw w¢mk§‰ {NN K 1) Ti^X` Ti^X`L'D%LK KL{m‘jN2L#;\RW {m‘jN2L#;\RW ClientHello

    ServerHello ServerCertificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished

  11. <F]d_  m§‚N…‰M`epwvUNaWebsGG  ‚…‘zpIPe}“v  HDNS“uv|XI5D]YŠœm§C  ˆG|;80 L_[443

    blG†–QTKaPV  „dgeGhkG’ENAT -3 NAT: Network Address Translation

  12. 'D%Q8Ugfb\ K 9BK 'D%$CF X.509 'D% K {’~pw‰(@ ೝূہ αʔόʔ

    3. ఏग़ 4. ൃߦ 1. ੜ੒ 2. ੜ੒ 5. ճऩ

  13. 6' https://curl.haxx.se/ca/cacert.pem

  14. 'D%_‚m“  %?'@&  DV}‹g–'@  OV '@  EV

    - ֦ு '@ https://security.stackexchange.com/questions/13453/are-all-ssl-certificates-equal OV: Organisation Validated EV: Extended Validated DV: Domain Validated

  15.  ‡GtzpW'@&HŠœm§CI •g’}mG}'@&  s…uip|>?'@&HSANI www.example.com *.example.com www.example.com www.example.jp example.com

    api.example.com 'D%_‚m“ SAN: Subject Alternative Name
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None

  26. ,H  "9F4†”–{fe1,Mozilla,Štn–/   +FCisco,Akamai
  p”v%?FIdenTrust

  27. ˜§{N

  28. https://letsencrypt.org/ja/stats/ 3

  29. https://letsencrypt.org/ja/stats/ 3

  30. https://letsencrypt.org/ja/stats/ 3

  31. https://letsencrypt.org/2020/02/27/one-billion-certs.html

  32. https://certbot.eff.org https://letsencrypt.org/ja/docs/client-options/  certbotr‰–}g–g–x„iGvHpythonI   .Y†”qŠ–q !†N¤

  33. https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment N~¡§ • ACME v1  201674££N  deprecated202076{˜N‰"I

  34. https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment N~¡§ • ACME v1  201674££N  deprecated202076{˜N‰"I •

    ACME v2  201873££N

  35. „ž¥§~_‚m“ https://letsencrypt.org/ja/docs/challenge-types/ • HTTP-01 • DNS-01 {NN^*5 6'(@h0 yN›rNN •

    TLS-SNI-01 (disabled) • TLS-ALPN-01 SNI: Sever Name Indication ALPN: Application Level Protocol Negotiation

  36. HTTP-01 HTTP GET /.well-known/acme-challenge/<token> https://letsencrypt.org/ja/docs/challenge-types/

  37. 8\Rfd_  DV '@&  SAN '@&  B 90

    6 DV: Domain Validation SAN: Subject Alternative Name

  38. hZS[M  ¥N‰+  ‡N~§x U{v|Sa   ˆG|80b=RTZKOWK https://letsencrypt.org/ja/docs/rate-limits/

    https://letsencrypt.org/ja/docs/staging-environment/ “¦ƒw}¡§ ‡N~§x https://acme-v02.api.letsencrypt.org/directory https://acme-staging-v02.api.letsencrypt.org/directory

  39. £N“¦u}

  40. Kubernetes (K8) Docker z§‡‹

  41. ACMEz§˜N§‰  ACME v1 †”|r’  Tim Penner{pm’€G|H20167I https://kb.4d.com/assetid=77671 https://www.youtube.com/watch?v=8CxPWHc4NI8

  42. ACMEz§˜N§‰  ACME v2 †”|r’  $:Z4D v15U9H20187I  ):Z4D

    v18†”uip|ŒG}U  OpenSSL 1.0.2oH201873 Ig~‘ „dg’<N  HTTP-01y“–u  SAN'@&sˆG|

  43. ˆ§‰¥N}¡§

  44. {m‘j£‰ C_TEXT($ciphers) $ciphers:=\ "ECDHE-RSA-AES128-GCM-SHA256:"+\ "ECDHE-RSA-AES256-GCM-SHA384:"+\ "ECDHE-RSA-CHACHA20-POLY1305:"+\ "DHE-RSA-AES128-GCM-SHA256:"+\ "DHE-RSA-AES256-GCM-SHA384" SET DATABASE

    PARAMETER(SSL cipher list;$ciphers) • 4D v12 ஫هɿઃఆ͸ΫϥΠΞϯτ/αʔόʔ௨৴ͷ҉߸Խʹ΋Өڹ͢Δ

  45. uŸ£‡l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v16 R6 • RC4 disabled •

    PFS enabled • DH or ECDH • "dhparams.pem" DH: Diffie Hellman ECDH: Elliptic Curve Diffie Hellman PFS: Perfect Forward Secrecy RC4: Rivest Cypher 4

  46. uŸ£‡l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v17 • HSTS option HSTS: HTTP

    Strict Transport Security // ϒϥ΢βʹHTTPSݶఆΞΫηεΛཁٻ͢Δظݶ WEB SET OPTION(Web HSTS max age;31536000) //365೔ // 4D Web serverͷHSTSΛ༗ޮʹ WEB SET OPTION(Web HSTS enabled;1) // 4D Web serverͷHTTPΛ༗ޮʹ WEB SET OPTION(Web HTTP enabled;1) // 4D Web serverͷHTTPSΛ༗ޮʹ WEB SET OPTION(Web HTTPS enabled;1)

  47. uŸ£‡l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v17 • HSTS option HSTS: HTTP

    Strict Transport Security curl -I https://www.example.com HTTP/1.1 200 OK Accept-Ranges: bytes Connection: keep-alive Content-Length: 3322 Content-Type: text/html Date: Sat, 23 May 2020 07:30:54 GMT Last-Modified: Sat, 18 Apr 2020 08:53:28 GMT Server: 4D/17.6.0 Strict-Transport-Security: max-age=31536000; includeSubDomains

  48. {NN(@ • 4D v16 R6 • WEB Get server info

    { "started": false, "uptime": 0, "httpRequestCount": 0, "startMode": "manual", "SOAPServerStarted": false, "security": { "HTTPEnabled": false, "HTTPSEnabled": false, "openSSLVersion": "OpenSSL 1.1.1d 10 Sep 2019", "cipherSuite": "TLS_AES_256_GCM_SHA384:..:CAMELLIA128-SHA", "minTLSVersion": "1.2", "perfectForwardSecrecy": false, "HSTSEnabled": false, "HSTSMaxAge": 63072000 }, "options": {...

  49. DNS: Domain Name Server CAA: Certification Authority Authorisation • DNS

    CAA dig caa www.example.com www.example.com. IN CAA 0 issue "amazon.com" www.example.com. IN CAA 0 issue "amazonaws.com" www.example.com. IN CAA 0 issue "amazontrust.com" www.example.com. IN CAA 0 issue "awstrust.com" www.example.com. IN CAA 0 issue "letsencrypt.org" www.example.com. IN CAA 0 issuewild "letsencrypt.org" {NN'D%86'2

  50. z§‡§†_O  HTTP”…ƒNb2Sa  -/URLbHTMLX #QWK  "https everywhere"jpv{–t–bCSa https://www.eff.org/https-everywhere

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy: upgrade-insecure-request <script src="//example.com/scripts.code.js"></scripts>

  51. ˆ§‰¥N}¡§

  52. uŸ£‡l_„p…w  SSL/TLSY-3b'QT<OSasGƒv  {NNYwoŽ‘{fZ>A0

  53. N~¡§?zk 4D ɹvre -3 12.6 F SSL 2.0, 3.0, TLS

    1.0 with DES, RC4 13.6 F TLS 1.0, 1.1, 1.2 with DES, RC4 14.5 B TLS 1.0, 1.1, 1.2 with RC4 15.6 B TLS 1.0, 1.1, 1.2 with RC4 16.6 B TLS 1.0, 1.1, 1.2 with RC4 17.4 A or A+ TLS 1.2 PFS HSTS 18.0 A or A+ TLS 1.2 PFS HSTS

  54. • Let's Encrypt • Mozilla • SSL and TLS Deployment

    Best Practices https://letsencrypt.org https://wiki.mozilla.org/Security/Server_Side_TLS https://ssl-config.mozilla.org https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ https://www.feistyduck.com/library/openssl-cookbook/  J

  55. • An Introduction to Let's Encrypt by April King from

    Mozilla • Let's Encrypt: A Free, Automated and Open Certificate Authority by Josh Aas https://www.youtube.com/watch?v=ksqTu7TX83g https://www.youtube.com/watch?v=W_OBpJmrKOc  J

  56. • Encrypt the Web For $0 by Yan Zhu •

    Let's Encrypt: Minting Free Certs to Encrypt the Entire Web by Yan Zhu https://www.youtube.com/watch?v=n9Fe68xgKUw https://www.youtube.com/watch?v=Ya6t8nMclos  J