Let's Encrypt 証明書を使ってみよう！（4D Summit 2020より）

Let’s Encrypt 'D%hY[cePM by Bruno Legay Let’s Encrypt® certiﬁcates with
4D https://www.ac-consulting.fr

_acZ .1ੈلF}N|NtmoL £oLsq{¤

_acZ 1553F¨l~p¤¥NLL¨l~¤ 1923Fqx k¤nN¤L}p¤o 1940Fk¢§LN£§x

_acZ 1976FmlN¤LllNNl§L¤§ 1977F¦¤L£klL}k¥r¤LqN¤§ 1985F¤Lq¤t¤

1)u£l 1994FSSL 1.0 Netscape Navigator (deprecated) 1995FSSL 2.0
(2011೥ deprecated) 1996FSSL 3.0 (2015೥ deprecated)

1)u£l 1999FTLS 1.0 (2020೥ deprecation ༧ఆ) 2006FTLS 1.1
(2020೥ deprecation ༧ఆ) 2007FTLS 1.2 2018FTLS 1.3

httpsQ<F]GE gtG ,* (C

https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences ෮߸ ҉߸ 9BK 9BK 4Vsv = 01010 10111 001010101
111100100 001011010 101100101 >= 8! J^c\ JMKW eghjl >= 8! J^c\ JMKW eghjl /&A! k£

https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences ෮߸ ҉߸ K 9BK Psv :/&A! k£ =
01010 10111 001010101 111100100 001011010 101100101 >= 8! J^c\ JMKW eghjl >= 8! J^c\ JMKW eghjl

TLS§}pmw w¢mk§ {NN K 1) Ti^X` Ti^X`L'D%LK KL{mjN2L#;\RW {mjN2L#;\RW ClientHello
ServerHello ServerCertificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished

<F]d_ m§NM`epwvUNaWebsGG zpIPe}v HDNSuv|XI5D]Ym§C G|;80 L_[443
blGQTKaPV dgeGhkGENAT -3 NAT: Network Address Translation

'D%Q8Ugfb\ K 9BK 'D%$CF X.509 'D% K {~pw(@ ೝূہ αʔόʔ
3. ఏग़ 4. ൃߦ 1. ੜ੒ 2. ੜ੒ 5. ճऩ

6' https://curl.haxx.se/ca/cacert.pem

'D%_m %?'@& DV}g'@ OV '@ EV
- ֦ு '@ https://security.stackexchange.com/questions/13453/are-all-ssl-certiﬁcates-equal OV: Organisation Validated EV: Extended Validated DV: Domain Validated

GtzpW'@&Hm§CI g}mG}'@& suip|>?'@&HSANI www.example.com *.example.com www.example.com www.example.jp example.com
api.example.com 'D%_m SAN: Subject Alternative Name

,H "9F4{fe1,Mozilla,tn/ +FCisco,Akamai  pv%?FIdenTrust

https://letsencrypt.org/ja/stats/ 3

https://letsencrypt.org/2020/02/27/one-billion-certs.html

https://certbot.eff.org https://letsencrypt.org/ja/docs/client-options/ certbotr}ggxiGvHpythonI .Yqq !N¤

https://en.wikipedia.org/wiki/Automated_Certiﬁcate_Management_Environment N~¡§ • ACME v1 201674££N deprecated202076{N"I

https://en.wikipedia.org/wiki/Automated_Certiﬁcate_Management_Environment N~¡§ • ACME v1 201674££N deprecated202076{N"I •
ACME v2 201873££N

¥§~_m https://letsencrypt.org/ja/docs/challenge-types/ • HTTP-01 • DNS-01 {NN^*5 6'(@h0 yNrNN •
TLS-SNI-01 (disabled) • TLS-ALPN-01 SNI: Sever Name Indication ALPN: Application Level Protocol Negotiation

HTTP-01 HTTP GET /.well-known/acme-challenge/<token> https://letsencrypt.org/ja/docs/challenge-types/

8\Rfd_ DV '@& SAN '@& B 90
6 DV: Domain Validation SAN: Subject Alternative Name

hZS[M ¥N+ N~§x U{v|Sa G|80b=RTZKOWK https://letsencrypt.org/ja/docs/rate-limits/
https://letsencrypt.org/ja/docs/staging-environment/ ¦w}¡§ N~§x https://acme-v02.api.letsencrypt.org/directory https://acme-staging-v02.api.letsencrypt.org/directory

£N¦u}

Kubernetes (K8) Docker z§

ACMEz§N§ ACME v1 |r Tim Penner{pmG|H20167I https://kb.4d.com/assetid=77671 https://www.youtube.com/watch?v=8CxPWHc4NI8

ACMEz§N§ ACME v2 |r $:Z4D v15U9H20187I ):Z4D
v18uip|G}U OpenSSL 1.0.2oH201873 Ig~ dg<N HTTP-01yu SAN'@&sG|

§¥N}¡§

{mj£ C_TEXT($ciphers) $ciphers:=\ "ECDHE-RSA-AES128-GCM-SHA256:"+\ "ECDHE-RSA-AES256-GCM-SHA384:"+\ "ECDHE-RSA-CHACHA20-POLY1305:"+\ "DHE-RSA-AES128-GCM-SHA256:"+\ "DHE-RSA-AES256-GCM-SHA384" SET DATABASE
PARAMETER(SSL cipher list;$ciphers) • 4D v12 ஫هɿઃఆ͸ΫϥΠΞϯτ/αʔόʔ௨৴ͷ҉߸Խʹ΋Өڹ͢Δ

u£l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v16 R6 • RC4 disabled •
PFS enabled • DH or ECDH • "dhparams.pem" DH: Difﬁe Hellman ECDH: Elliptic Curve Difﬁe Hellman PFS: Perfect Forward Secrecy RC4: Rivest Cypher 4

u£l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v17 • HSTS option HSTS: HTTP
Strict Transport Security // ϒϥ΢βʹHTTPSݶఆΞΫηεΛཁٻ͢Δظݶ WEB SET OPTION(Web HSTS max age;31536000) //365೔ // 4D Web serverͷHSTSΛ༗ޮʹ WEB SET OPTION(Web HSTS enabled;1) // 4D Web serverͷHTTPΛ༗ޮʹ WEB SET OPTION(Web HTTP enabled;1) // 4D Web serverͷHTTPSΛ༗ޮʹ WEB SET OPTION(Web HTTPS enabled;1)

u£l https://blog.4d.com/higher-security-ranking-for-4d-web-sites/ • 4D v17 • HSTS option HSTS: HTTP
Strict Transport Security curl -I https://www.example.com HTTP/1.1 200 OK Accept-Ranges: bytes Connection: keep-alive Content-Length: 3322 Content-Type: text/html Date: Sat, 23 May 2020 07:30:54 GMT Last-Modified: Sat, 18 Apr 2020 08:53:28 GMT Server: 4D/17.6.0 Strict-Transport-Security: max-age=31536000; includeSubDomains

{NN(@ • 4D v16 R6 • WEB Get server info
{ "started": false, "uptime": 0, "httpRequestCount": 0, "startMode": "manual", "SOAPServerStarted": false, "security": { "HTTPEnabled": false, "HTTPSEnabled": false, "openSSLVersion": "OpenSSL 1.1.1d 10 Sep 2019", "cipherSuite": "TLS_AES_256_GCM_SHA384:..:CAMELLIA128-SHA", "minTLSVersion": "1.2", "perfectForwardSecrecy": false, "HSTSEnabled": false, "HSTSMaxAge": 63072000 }, "options": {...

DNS: Domain Name Server CAA: Certiﬁcation Authority Authorisation • DNS
CAA dig caa www.example.com www.example.com. IN CAA 0 issue "amazon.com" www.example.com. IN CAA 0 issue "amazonaws.com" www.example.com. IN CAA 0 issue "amazontrust.com" www.example.com. IN CAA 0 issue "awstrust.com" www.example.com. IN CAA 0 issue "letsencrypt.org" www.example.com. IN CAA 0 issuewild "letsencrypt.org" {NN'D%86'2

z§§_O HTTPNb2Sa -/URLbHTMLX #QWK "https everywhere"jpv{tbCSa https://www.eff.org/https-everywhere
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Content-Security-Policy: upgrade-insecure-request <script src="//example.com/scripts.code.js"></scripts>

§¥N}¡§

u£l_pw SSL/TLSY-3b'QT<OSasGv {NNYwo{fZ>A0

N~¡§?zk 4D ɹvre -3 12.6 F SSL 2.0, 3.0, TLS
1.0 with DES, RC4 13.6 F TLS 1.0, 1.1, 1.2 with DES, RC4 14.5 B TLS 1.0, 1.1, 1.2 with RC4 15.6 B TLS 1.0, 1.1, 1.2 with RC4 16.6 B TLS 1.0, 1.1, 1.2 with RC4 17.4 A or A+ TLS 1.2 PFS HSTS 18.0 A or A+ TLS 1.2 PFS HSTS

• Let's Encrypt • Mozilla • SSL and TLS Deployment
Best Practices https://letsencrypt.org https://wiki.mozilla.org/Security/Server_Side_TLS https://ssl-conﬁg.mozilla.org https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ https://www.feistyduck.com/library/openssl-cookbook/ J

• An Introduction to Let's Encrypt by April King from
Mozilla • Let's Encrypt: A Free, Automated and Open Certiﬁcate Authority by Josh Aas https://www.youtube.com/watch?v=ksqTu7TX83g https://www.youtube.com/watch?v=W_OBpJmrKOc J

• Encrypt the Web For $0 by Yan Zhu •
Let's Encrypt: Minting Free Certs to Encrypt the Entire Web by Yan Zhu https://www.youtube.com/watch?v=n9Fe68xgKUw https://www.youtube.com/watch?v=Ya6t8nMclos J

Let's Encrypt 証明書を使ってみよう！（4D Summit 2020より）

Let's Encrypt 証明書を使ってみよう！（4D Summit 2020より）

More Decks by 4D Japan

Other Decks in Programming

Featured

Transcript