SSL All The Things (DjangoCon US 2016)

Slide 1

Slide 1 text

SSL All The Things Django and SSL

Slide 2

Slide 2 text

Markus Holtermann Senior Software Engineer at LaterPay Django Core Developer @m_holtermann • github.com/MarkusH • markusholtermann.eu

Slide 3

Slide 3 text

EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT USE NOW, PAY LATER. @laterpay • github.com/laterpay • laterpay.net W e are hiring

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Disclaimer

Slide 6

Slide 6 text

What is SSL / TLS?

Slide 7

Slide 7 text

Webserver configuration

Slide 8

Slide 8 text

Apache 2 / httpd ServerName example.com SSLEngine on # Details at https://cipherli.st/ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLCertificateFile /etc/nginx/ssl/example.com.crt SSLCertificateKeyFile /etc/nginx/ssl/example.com.key SSLOpenSSLConfCmd DHParameters "/etc/nginx/ssl/example.com.dh"

Slide 9

Slide 9 text

host { listen [::]:443 ssl; server_name example.com; # Details at https://cipherli.st/ ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_dhparam /etc/nginx/ssl/example.com.dh; } Nginx

Slide 10

Slide 10 text

What is Let’s Encrypt ?

Slide 11

Slide 11 text

Trust Store Intermediate CA 1 Intermediate CA 2 Root CA 1 Root CA 2 Intermediate CA 3 Certs Certs Certs Root CA 3

Slide 12

Slide 12 text

What is Let’s Encrypt ?

Slide 13

Slide 13 text

The ACME Process Account Key Certificate Key Certificate Signing Request

Slide 14

Slide 14 text

The ACME Process new-authz Challenges Certificate Signing Request new-cert Certificate Retrieve Certificate Write Challenges Check challenge new-reg Public Account Key Account Key Certificate Key Certificate Signing Request

Slide 15

Slide 15 text

Apache 2 / httpd ServerName example.com Redirect / https://example.com/ Alias "/.well-known/acme-challenge/" "/srv/http/acme-challenges/" AllowOverride None Options None Require all granted

Slide 16

Slide 16 text

host { listen [::]:80; server_name example.com; location /.well-known/acme-challenge/ { alias /srv/http/acme-challenges/; try_files $uri =404; } location / { return 301 https://example.com$request_uri; } } Nginx

Slide 17

Slide 17 text

How to use Let’s Encrypt ?

Slide 18

Slide 18 text

python3 /etc/acme-tiny/acme-tiny.py \ --account-key "/etc/acme-tiny/account.key" \ --csr "/etc/acme-tiny/example.com.csr" \ --acme-dir "/srv/www/acme-challenges" \ --output "/etc/nginx/ssl/example.com.crt" \ --combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem" Using Let’s Encrypt

Slide 19

Slide 19 text

Adjusting Django ● Use “secure” cookies — Set CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE to True import os CSRF_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ SESSION_COOKIE_SECURE = os.getenv(‘SECURE_COOKIES’) == ‘yes’ ● https://docs.djangoproject.com/en/dev/topics/security/

Slide 20

Slide 20 text

What I didn’t cover ... … but want to mention

Slide 21

Slide 21 text

Certificate Revocation

Slide 22

Slide 22 text

Changing the Account Key

Slide 23

Slide 23 text

HSTS HTTP Strict Transport Security

Slide 24

Slide 24 text

HPKP HTTP Public Key Pinning

Slide 25

Slide 25 text

Usage for other services

Slide 26

Slide 26 text

Things that could go wrong An incomplete list

Slide 27

Slide 27 text

HSTS / HPKP

Slide 28

Slide 28 text

Leaked Keys

Slide 29

Slide 29 text

Resource Usage

Slide 30

Slide 30 text

Sources ● https://cipherli.st/ ● https://www.ssllabs.com/ssltest/index.html ● https://hynek.me/talks/tls/ ● https://ssldecoder.org/ ● https://securityheaders.io/ ● https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md ● https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

Slide 31

Slide 31 text

Thanks @m_holtermann • github.com/MarkusH • markusholtermann.eu • laterpay.net Questions?