Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
lpi2:apache-ssl [2018/08/10 10:46] ingo_wichmann [Debian ab 6.0] |
lpi2:apache-ssl [2020/04/14 07:58] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | Todo: https://weakdh.org/sysadmin.html cipher list intregrieren (( | ||
- | <file> | ||
- | SSLProtocol all -SSLv2 -SSLv3 | ||
- | |||
- | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | ||
- | |||
- | SSLHonorCipherOrder on | ||
- | </file> | ||
- | )) | ||
- | ====== SSL / TLS für Apache ====== | ||
- | ===== Vorraussetzungen ===== | ||
- | * [[apache]] installiert | ||
- | * [[ssl| SSL Zertifikat]] und Diffie-Hellman Parameter-Datei erstellt | ||
- | * Korrektes [[bind|DNS]] evtl. inkl. CAA Record | ||
- | * Korrekte [[zeitserver|Uhrzeiten]] auf allen Rechnern | ||
- | |||
- | ==== CAA Record ==== | ||
- | CAA Records funktionieren mit bind erst ab Version [[https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html|9.9.6]] | ||
- | |||
- | für Wildcard Zertifikate: | ||
- | <file> | ||
- | example.com. CAA 0 issue "cacert.org" | ||
- | example.com. CAA 0 issuewild "cacert.org" | ||
- | example.com. CAA 0 issue "letsencrypt.org" | ||
- | example.com. CAA 0 issuewild "letsencrypt.org" | ||
- | </file> | ||
- | ===== Zertifikate, Anträge und Schlüssel an die passenden Stellen kopieren ===== | ||
- | ==== Debian (ab 8.0) ==== | ||
- | cd /etc/ssl | ||
- | cp /root/server-ssl/servercert.pem certs/ | ||
- | cp /root/server-ssl/serverkey.pem private/ | ||
- | cp /home/ca/ca*/cacert.pem certs/ | ||
- | cp /home/ca/ca*/cacert.pem /var/www/html/cacert.crt | ||
- | |||
- | ==== SuSE (12.3) ==== | ||
- | cd /etc/apache2 | ||
- | (( Bei älteren openSuSE Versionen: | ||
- | mkdir ssl.crt ssl.key ssl.csr | ||
- | )) | ||
- | cp /root/server-ssl/servercert.pem ssl.crt/server.crt | ||
- | cp /root/server-ssl/serverkey.pem ssl.key/server.key | ||
- | cp /home/ca/ca*/cacert.pem ssl.crt/ca.crt | ||
- | cp /home/ca/ca*/cacert.pem /srv/www/htdocs/cacert.crt | ||
- | |||
- | ==== Centos 5 ==== | ||
- | cd /etc/pki/tls | ||
- | cp /root/server-ssl/servercert.pem certs/server.crt | ||
- | cp /root/server-ssl/serverkey.pem private/server.key | ||
- | |||
- | ===== mit OpenSSL s_server testen ====== | ||
- | TODO: noch nicht getestet | ||
- | |||
- | cd /etc/ssl | ||
- | |||
- | sudo -u www-data -g ssl openssl s_server -cert certs/servercert.pem -key private/serverkey.pem -www | ||
- | firefox https://localhost | ||
- | |||
- | sudo -u www-data -g ssl openssl s_server -cert certs/servercert.pem -key private/serverkey.pem -WWW | ||
- | firefox https://localhost/certs/cacert.pem | ||
- | |||
- | sslscan notebook05.linuxhotel.de | ||
- | testssl.sh notebook05.linuxhotel.de | ||
- | |||
- | ===== Apache konfigurieren ===== | ||
- | ==== SuSE ==== | ||
- | cd /etc/apache2/vhosts.d/ | ||
- | cp vhost-ssl.template notebook07.linuxhotel.de-ssl.conf | ||
- | |||
- | ''/etc/apache2/vhosts.d/notebook07.linuxhotel.de-ssl.conf'' : ( openSuSE 13.2 ) | ||
- | <file> | ||
- | <VirtualHost _default_:443> | ||
- | DocumentRoot "/srv/www/htdocs" | ||
- | SSLEngine on | ||
- | SSLCertificateFile /etc/apache2/ssl.crt/server.crt | ||
- | SSLCertificateKeyFile /etc/apache2/ssl.key/server.key | ||
- | SSLCaCertificateFile /etc/apache2/ssl.crt/ca.crt | ||
- | SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem | ||
- | </VirtualHost> | ||
- | </file> | ||
- | |||
- | SSL Modul aktivieren: ( openSuSE 10.2 ) | ||
- | a2enmod ssl | ||
- | |||
- | Für SSLSessionCache (openSuSE 13.1) | ||
- | a2enmod mod_socache_shmcb | ||
- | |||
- | SSL Flag aktivieren: ( SuSE open10.2 ) | ||
- | a2enflag SSL | ||
- | |||
- | Konfiguration prüfen: | ||
- | apache2ctl configtest | ||
- | httpd2 -S | ||
- | |||
- | Dienst neu starten: | ||
- | /etc/init.d/apache2 restart | ||
- | |||
- | ==== Debian (ab 4.0) ==== | ||
- | cd /etc/apache2/ | ||
- | |||
- | ''/etc/apache2/ports.conf'' : ( Debian 4.0 - 7 ) | ||
- | <file> | ||
- | NameVirtualHost *:80 | ||
- | Listen 80 | ||
- | |||
- | <IfModule mod_ssl.c> | ||
- | # SSL name based virtual hosts are not yet supported, therefore no | ||
- | # NameVirtualHost statement here | ||
- | NameVirtualHost *:443 | ||
- | Listen 443 | ||
- | </IfModule> | ||
- | </file> | ||
- | ''/etc/apache2/ports.conf'' : ( Debian 8.0 ) | ||
- | <file> | ||
- | Listen 80 | ||
- | |||
- | <IfModule ssl_module> | ||
- | Listen 443 | ||
- | </IfModule> | ||
- | </file> | ||
- | |||
- | ''/etc/apache2/sites-available/default-ssl.conf'' : ( Debian 8.0 ) | ||
- | <file> | ||
- | <VirtualHost _default_:443> | ||
- | … | ||
- | SSLEngine on | ||
- | … | ||
- | SSLCertificateFile /etc/ssl/certs/servercert.pem | ||
- | … | ||
- | SSLCertificateKeyFile /etc/ssl/private/serverkey.pem | ||
- | … | ||
- | SSLCaCertificateFile /etc/ssl/ssl.crt/ca.crt | ||
- | … | ||
- | #Die folgende Zeile geht erst ab apache 2.4.8 und openssl 1.0.2: | ||
- | #SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem | ||
- | |||
- | </VirtualHost> | ||
- | </file> | ||
- | |||
- | SSL Modul aktivieren: | ||
- | a2enmod ssl | ||
- | |||
- | SSL Konfiguration aktivieren: | ||
- | a2ensite default-ssl | ||
- | |||
- | Konfiguration prüfen: | ||
- | apache2ctl configtest | ||
- | apache2ctl -S | ||
- | |||
- | Dienst neu starten: | ||
- | /etc/init.d/apache2 restart | ||
- | |||
- | ==== CentOS 5 ==== | ||
- | yum install mod_ssl | ||
- | ''/etc/httpd/conf.d/ssl.conf'' : | ||
- | <file> | ||
- | SSLCertificateFile /etc/pki/tls/certs/server.crt | ||
- | SSLCertificateKeyFile /etc/pki/tls/private/server.key | ||
- | SSLCaCertificateFile /etc/ssl/ssl.crt/ca.crt | ||
- | SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem | ||
- | </file> | ||
- | |||
- | /etc/init.d/httpd restart | ||
- | |||
- | === Konfiguration prüfen === | ||
- | apachectl configtest | ||
- | apachectl -S | ||
- | |||
- | ===== SSLCaCertificateFile ===== | ||
- | Für "offizielle" Zertifikate braucht man zusätzlich noch einen Eintrag für die CA: ''SSLCaCertificateFile''. Und zusätzlich bis Apache Version 2.4.8 ''SSLCertificateChainFile''. Was gebraucht wird und was die beiden Dateien enthalten sollte in der Dokumentation des Herausgebers (der CA) des Zertifikats stehen. | ||
- | (( | ||
- | Mehr dazu: | ||
- | * http://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile )) | ||
- | * http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcacertificatefile | ||
- | * http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile | ||
- | )) | ||
- | |||
- | ===== Testen ===== | ||
- | lsof -i :443 | ||
- | openssl s_client -connect localhost:443 -showcerts | ||
- | |||
- | ====== SSL/TLS und name based virtual hosts ====== | ||
- | Vorraussetzung: wie in [[ssl| SSL Zertifikat]] beschrieben eine CA erstellt | ||
- | ===== Zertifikat ===== | ||
- | //Dieser Schritt ist bei GnuTLS nicht nötig, da GnuTLS schon bei der Erstellung von Zertifikaten nach mehreren Domain-Namen fragt// | ||
- | ==== Server-Zertifikat beantragen ==== | ||
- | Als root: | ||
- | cd | ||
- | mkdir server-ssl | ||
- | cp -a /etc/ssl/openssl.cnf server-ssl/config | ||
- | |||
- | Antrag und Schluessel fuer Server erzeugen: | ||
- | ''server-ssl/config'' : | ||
- | <file> | ||
- | [req] | ||
- | |||
- | req_extensions = v3_req | ||
- | |||
- | [ v3_req ] | ||
- | subjectAltName=DNS:notebook07.linuxhotel.de,DNS:iw.linuxhotel.de | ||
- | </file> | ||
- | |||
- | openssl req -new -newkey rsa:2048 -nodes -config server-ssl/config -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.pem | ||
- | <file> | ||
- | Common Name (eg, YOUR name) []:notebook32.linuxhotel.de | ||
- | Email Address []:root@notebook32.linuxhotel.de | ||
- | </file> | ||
- | |||
- | Pruefen ob Antrag und Schluessel ok sind: | ||
- | openssl req -in server-ssl/serverreq.pem -noout -verify -key server-ssl/serverkey.pem | ||
- | |||
- | Antrag ansehen: | ||
- | openssl req -in server-ssl/serverreq.pem -noout -text | grep -A1 X509v3 | ||
- | |||
- | Antrag zum Nutzer ca kopieren: | ||
- | cp server-ssl/serverreq.pem /home/ca | ||
- | |||
- | ==== Als Nutzer ca Server-Zertifikat unterschreiben ==== | ||
- | su - ca | ||
- | cp -a /etc/ssl/openssl.cnf ca.linuxhotel.de | ||
- | |||
- | ''ca.linuxhotel.de/openssl.cnf'' : | ||
- | <file> | ||
- | [ CA_default ] | ||
- | copy_extensions = copy | ||
- | x509_extensions = usr_cert | ||
- | |||
- | [ usr_cert ] | ||
- | basicConstraints=CA:FALSE | ||
- | </file> | ||
- | |||
- | openssl ca -in serverreq.pem -config ca.linuxhotel.de/openssl.cnf -out servercert.pem | ||
- | |||
- | Zertifikat ansehen: | ||
- | openssl x509 -in servercert.pem -text | grep -A1 X509v3 | ||
- | |||
- | ===== Apache Konfiguration ===== | ||
- | ==== Anfragen auf https:// umleiten ==== | ||
- | a2enmod rewrite | ||
- | cd /etc/apache2 | ||
- | ''sites-available/default'' : | ||
- | <file> | ||
- | <IfModule mod_rewrite.c> | ||
- | RewriteEngine On | ||
- | RewriteCond %{HTTPS} !=on | ||
- | RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] | ||
- | </IfModule> | ||
- | </file> | ||
- | |||
- | ==== Alle virtual hosts umstellen ==== | ||
- | ''sites-available/default'' : | ||
- | <file> | ||
- | NameVirtualHost *:443 | ||
- | <VirtualHost _default_:443> | ||
- | </file> | ||
- | |||
- | ''sites-available/*'' : | ||
- | <file> | ||
- | <VirtualHost *:443> | ||
- | </file> | ||
- | |||
- | ====== Dokumentation ====== | ||
- | * [[ http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html | CentOS 5 ]] | ||
- | * [[ http://httpd.apache.org/docs/2.2/ssl | apache httpd und SSL/TLS]] | ||
- | * [[ http://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf | SSL und name based virtual hosts ]] | ||
- | * [[ http://en.wikipedia.org/wiki/Server_Name_Indication | Server Name Indication - Lösung für name based virtual hosts ]] | ||