SSL Deployment Best Practices Jan Krutisch Ruby Usergroup Hamburg https://jan.krutisch.de/ PGP-Key: A3E52A33 CF40 36B2 DBC8 83BA 29F1 3745 D400 34B1 A3E5 2A33 

SSL? TLS? 

Source: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:voip:tls_sips_rtps 

Certificates 

Free Not free Self signed CACert Commercial 

Self signed 

Security vs. Trust 

No content

Let’s go shopping http://www.flickr.com/photos/prozla/4937459350/ 

No content

Deployment 

TL;DR version 

Apache 

SSLEngine on SSLCertificateFile /etc/ssl/private/cert.crt SSLCertificateKeyFile /etc/ssl/private/private_key.key ! SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt 

Nginx 

ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/private_key.key; 

Test! 

https://www.ssllabs.com/ssltest/ 

https://www.ssllabs.com/ssltest/ Dafuq?!? 

No content

Common issues 

Common issues according to my story 

Cert Chain 

No content

Cipher Suites 

RC4 vs. BEAST 

TLS compression (CRIME) 

BREACH? 

Forward Secrecy 

EDH vs. EECDH 

Ephemeral (Elliptic Curve) Diffie Hellman 

# Apache SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" ! # Nginx ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy 

No content

Bam! 

Domains vs. IPs 

Server Name Indication 

No content

No content