How to configure HTTPS - help SSL Configuration Generator
We talk about the SSL configuration tool that was developed in Mozilla.
Under the cat - about its capabilities and other utilities for setting up sites.
Photo - Lai Man Nung - Unsplash
')
Before turning to the story about the capabilities of the tool, let's talk about its purpose. When working with HTTPS, encryption is used in four cases : during key exchange, in SSL certificates , when sending messages and compiling a hash sum ( digest ).
Each of them uses different sets of algorithms negotiated by the client and server. They choose an asymmetric cipher for a handshake, a symmetric cipher for encoding messages, and a hashing algorithm for digest.
For example, the ECDHE-ECDSA-CHACHA20-POLY1305 cipher suite means that the key exchange takes place via the Diffie-Hellman protocol on elliptic curves ( ECDHE ). At the same time, ephemeral keys (disposable) are used to establish only one connection. The certificate authority signed a certificate using the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm, and the ChaCha20 streaming algorithm is used to encrypt messages. POLY1305 is responsible for their integrity, calculating a 16-byte authenticator.
A complete list of all available combinations of algorithms can be found on the Mozilla wiki page .
To configure the cryptographic methods used by the server, there are special tools in the network. This functionality has SSL Configuration Generator , developed in Mozilla.
Mozilla offers three recommended configurations for servers using TLS:
For example, in the first case, the generator uses the AES128 / 256 encryption algorithm, the SHA256 / 384 hashing algorithm and the GCM symmetric block cipher mode. Here is an example of the cipher suite: TLS_AES_256_GCM_SHA384.
In the second case, the number of ciphers used is much larger, since many of them have been excluded from TLS 1.3 for increased security. Plus, the TLS 1.3 cipher suite does not describe the type of certificate and key exchange mechanism. Therefore, in the intermediate configuration there is a Diffie - Hellman protocol with ephemeral keys and RSA .
Given these requirements, the SSL Configuration Generator builds a configuration file (OpenSSL). When building, you can select the necessary server software: Apache, HAProxy, MySQL, nginx, PostgreSQL and five others. Here is an example of a modern configuration for Apache:
Generated configurations can be used in your project, you just need to edit the certificate and private key paths and load the settings. However, as one of the residents of Hacker News says , it is important to pay attention to the server version in order to get the correct results. In particular, the output for nginx 1.0 and nginx 1.4 is significantly different. It is also believed that in some cases you will have to manually tweak a part of the generated cipher suite to maintain backward compatibility and get high marks in the benchmarks for scanning sites.
There are several utilities in the Mozilla portfolio that can help verify the reliability of a resource after configuring SSL.
The first is the Mozilla Observatory . Initially, the company developed a tool to check the security of its own domains. Now it is available to everyone along with the source code . Observatory scans websites for the most popular vulnerabilities, among them: potentially dangerous cookies , XSS vulnerabilities and redirects . After scanning, the system issues a set of recommendations to improve the security of an Internet resource.
Photo - sebastiaan stam - Unsplash
Another useful tool is Firefox Monitor . It tracks the latest data breaches and sends notifications if information from any site has fallen into the hands of hackers. Thus, administrators are able to quickly take action, minimize damage and ensure that history does not repeat in the future.
Under the cat - about its capabilities and other utilities for setting up sites.
Photo - Lai Man Nung - Unsplash
')
Why do I need a generator
Before turning to the story about the capabilities of the tool, let's talk about its purpose. When working with HTTPS, encryption is used in four cases : during key exchange, in SSL certificates , when sending messages and compiling a hash sum ( digest ).
Each of them uses different sets of algorithms negotiated by the client and server. They choose an asymmetric cipher for a handshake, a symmetric cipher for encoding messages, and a hashing algorithm for digest.
For example, the ECDHE-ECDSA-CHACHA20-POLY1305 cipher suite means that the key exchange takes place via the Diffie-Hellman protocol on elliptic curves ( ECDHE ). At the same time, ephemeral keys (disposable) are used to establish only one connection. The certificate authority signed a certificate using the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm, and the ChaCha20 streaming algorithm is used to encrypt messages. POLY1305 is responsible for their integrity, calculating a 16-byte authenticator.
A complete list of all available combinations of algorithms can be found on the Mozilla wiki page .
To configure the cryptographic methods used by the server, there are special tools in the network. This functionality has SSL Configuration Generator , developed in Mozilla.
What is he like?
Mozilla offers three recommended configurations for servers using TLS:
- Modern - for working with customers using TLS 1.3 without backward compatibility.
- Intermediate - recommended configuration for most servers.
- Outdated - access to the service is done using old clients or libraries, such as IE8, Java 6, or OpenSSL 0.9.8.
For example, in the first case, the generator uses the AES128 / 256 encryption algorithm, the SHA256 / 384 hashing algorithm and the GCM symmetric block cipher mode. Here is an example of the cipher suite: TLS_AES_256_GCM_SHA384.
In the second case, the number of ciphers used is much larger, since many of them have been excluded from TLS 1.3 for increased security. Plus, the TLS 1.3 cipher suite does not describe the type of certificate and key exchange mechanism. Therefore, in the intermediate configuration there is a Diffie - Hellman protocol with ephemeral keys and RSA .
Given these requirements, the SSL Configuration Generator builds a configuration file (OpenSSL). When building, you can select the necessary server software: Apache, HAProxy, MySQL, nginx, PostgreSQL and five others. Here is an example of a modern configuration for Apache:
# generated 2019-07-04, https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern # requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers <VirtualHost *:80> RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] </VirtualHost> <VirtualHost *:443> SSLEngine on SSLCertificateFile /path/to/signed_cert_and_intermediate_certs SSLCertificateKeyFile /path/to/private_key # enable HTTP/2, if available Protocols h2 http/1.1 # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) Header always set Strict-Transport-Security "max-age=63072000" </VirtualHost> # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" Generated configurations can be used in your project, you just need to edit the certificate and private key paths and load the settings. However, as one of the residents of Hacker News says , it is important to pay attention to the server version in order to get the correct results. In particular, the output for nginx 1.0 and nginx 1.4 is significantly different. It is also believed that in some cases you will have to manually tweak a part of the generated cipher suite to maintain backward compatibility and get high marks in the benchmarks for scanning sites.
What other tools will help with the protection of sites
There are several utilities in the Mozilla portfolio that can help verify the reliability of a resource after configuring SSL.
The first is the Mozilla Observatory . Initially, the company developed a tool to check the security of its own domains. Now it is available to everyone along with the source code . Observatory scans websites for the most popular vulnerabilities, among them: potentially dangerous cookies , XSS vulnerabilities and redirects . After scanning, the system issues a set of recommendations to improve the security of an Internet resource.
Photo - sebastiaan stam - Unsplash
Another useful tool is Firefox Monitor . It tracks the latest data breaches and sends notifications if information from any site has fallen into the hands of hackers. Thus, administrators are able to quickly take action, minimize damage and ensure that history does not repeat in the future.
Our publications from blogs and social networks:How to protect a virtual server on the Internet
Mobile-first indexing from the first of July - how to check your site?
How to evaluate the performance of storage on Linux: benchmarking using open tools
Source: https://habr.com/ru/post/459002/
All Articles