Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
lpi2:apache-ssl [2020/04/14 07:58] |
lpi2:apache-ssl [2022/12/23 15:40] (aktuell) |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | Todo: https://ssl-config.mozilla.org/ benutzen | ||
+ | |||
+ | Todo: https://weakdh.org/sysadmin.html cipher list intregrieren (( | ||
+ | <file> | ||
+ | SSLProtocol all -SSLv2 -SSLv3 | ||
+ | |||
+ | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | ||
+ | |||
+ | SSLHonorCipherOrder on | ||
+ | </file> | ||
+ | )) | ||
+ | |||
+ | TODO: Let's encrypt von Apache selber machen lassen: https://httpd.apache.org/docs/2.4/mod/mod_md.html | ||
+ | |||
+ | ====== SSL / TLS für Apache ====== | ||
+ | ===== Vorraussetzungen ===== | ||
+ | * [[apache]] installiert | ||
+ | * [[ssl| SSL Zertifikat]] und Diffie-Hellman Parameter-Datei erstellt | ||
+ | * Korrektes [[bind|DNS]] evtl. inkl. CAA Record | ||
+ | * Korrekte [[zeitserver|Uhrzeiten]] auf allen Rechnern | ||
+ | |||
+ | ==== CAA Record ==== | ||
+ | Falls auf der Domain CAA Einträge hinterlegt sind, entweder die aktuelle CA ergänzen oder die Einträge entfernen: | ||
+ | dig CAA linuxhotel.de @141.1.1.1 | ||
+ | |||
+ | für Wildcard Zertifikate: | ||
+ | <file> | ||
+ | example.com. 0 IN CAA 0 issue "cacert.org" | ||
+ | example.com. 0 IN CAA 0 issuewild "cacert.org" | ||
+ | example.com. 0 IN CAA 0 issue "letsencrypt.org" | ||
+ | example.com. 0 IN CAA 0 issuewild "letsencrypt.org" | ||
+ | </file> | ||
+ | ===== Zertifikate, Anträge und Schlüssel an die passenden Stellen kopieren ===== | ||
+ | ==== Debian (ab 8.0) ==== | ||
+ | cd /etc/ssl | ||
+ | cp /root/server-ssl/servercert.pem certs/ | ||
+ | cp /root/server-ssl/serverkey.pem private/ | ||
+ | cp /home/ca/ca*/cacert.pem certs/ | ||
+ | cp /home/ca/ca*/cacert.pem /var/www/html/cacert.crt | ||
+ | |||
+ | ==== SuSE (12.3) ==== | ||
+ | cd /etc/apache2 | ||
+ | (( Bei älteren openSuSE Versionen: | ||
+ | mkdir ssl.crt ssl.key ssl.csr | ||
+ | )) | ||
+ | cp /root/server-ssl/servercert.pem ssl.crt/server.crt | ||
+ | cp /root/server-ssl/serverkey.pem ssl.key/server.key | ||
+ | cp /home/ca/ca*/cacert.pem ssl.crt/ca.crt | ||
+ | cp /home/ca/ca*/cacert.pem /srv/www/htdocs/cacert.crt | ||
+ | |||
+ | ==== Centos 5 ==== | ||
+ | cd /etc/pki/tls | ||
+ | cp /root/server-ssl/servercert.pem certs/server.crt | ||
+ | cp /root/server-ssl/serverkey.pem private/server.key | ||
+ | |||
+ | ===== mit OpenSSL s_server testen ====== | ||
+ | |||
+ | cd /etc/ssl | ||
+ | sudo -u www-data -g ssl openssl s_server -cert certs/servercert.pem -key private/serverkey.pem -www | ||
+ | firefox https://localhost:4433 | ||
+ | sudo -u www-data -g ssl openssl s_server -cert certs/servercert.pem -key private/serverkey.pem -WWW | ||
+ | firefox https://localhost:4433/certs/cacert.pem | ||
+ | |||
+ | TODO: noch nicht getestet: | ||
+ | sslscan notebook05.linuxhotel.de | ||
+ | testssl.sh notebook05.linuxhotel.de | ||
+ | |||
+ | |||
+ | Sicherheit überwachen lassen: https://siwecos.de/ | ||
+ | ===== Apache konfigurieren ===== | ||
+ | ==== SuSE ==== | ||
+ | cd /etc/apache2/vhosts.d/ | ||
+ | cp vhost-ssl.template notebook07.linuxhotel.de-ssl.conf | ||
+ | |||
+ | ''/etc/apache2/vhosts.d/notebook07.linuxhotel.de-ssl.conf'' : ( openSuSE 13.2 ) | ||
+ | <file> | ||
+ | <VirtualHost _default_:443> | ||
+ | DocumentRoot "/srv/www/htdocs" | ||
+ | SSLEngine on | ||
+ | SSLCertificateFile /etc/apache2/ssl.crt/server.crt | ||
+ | SSLCertificateKeyFile /etc/apache2/ssl.key/server.key | ||
+ | SSLCaCertificateFile /etc/apache2/ssl.crt/ca.crt | ||
+ | SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem | ||
+ | </VirtualHost> | ||
+ | </file> | ||
+ | |||
+ | SSL Modul aktivieren: ( openSuSE 10.2 ) | ||
+ | a2enmod ssl | ||
+ | |||
+ | Für SSLSessionCache (openSuSE 13.1) | ||
+ | a2enmod mod_socache_shmcb | ||
+ | |||
+ | SSL Flag aktivieren: ( SuSE open10.2 ) | ||
+ | a2enflag SSL | ||
+ | |||
+ | Konfiguration prüfen: | ||
+ | apache2ctl configtest | ||
+ | httpd2 -S | ||
+ | |||
+ | Dienst neu starten: | ||
+ | /etc/init.d/apache2 restart | ||
+ | |||
+ | ==== Debian (ab 4.0) ==== | ||
+ | cd /etc/apache2/ | ||
+ | |||
+ | ''/etc/apache2/ports.conf'' : ( Debian 4.0 - 7 ) | ||
+ | <file> | ||
+ | NameVirtualHost *:80 | ||
+ | Listen 80 | ||
+ | |||
+ | <IfModule mod_ssl.c> | ||
+ | # SSL name based virtual hosts are not yet supported, therefore no | ||
+ | # NameVirtualHost statement here | ||
+ | NameVirtualHost *:443 | ||
+ | Listen 443 | ||
+ | </IfModule> | ||
+ | </file> | ||
+ | ''/etc/apache2/ports.conf'' : ( Debian 8.0 ) | ||
+ | <file> | ||
+ | Listen 80 | ||
+ | |||
+ | <IfModule ssl_module> | ||
+ | Listen 443 | ||
+ | </IfModule> | ||
+ | </file> | ||
+ | |||
+ | ''/etc/apache2/sites-available/default-ssl.conf'' : ( Debian 8.0 ) | ||
+ | <file> | ||
+ | <VirtualHost _default_:443> | ||
+ | … | ||
+ | SSLEngine on | ||
+ | … | ||
+ | SSLCertificateFile /etc/ssl/certs/servercert.pem | ||
+ | … | ||
+ | SSLCertificateKeyFile /etc/ssl/private/serverkey.pem | ||
+ | … | ||
+ | SSLCaCertificateFile /etc/ssl/ssl.crt/ca.crt | ||
+ | … | ||
+ | #Die folgende Zeile geht erst ab apache 2.4.8 und openssl 1.0.2: | ||
+ | #SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem | ||
+ | |||
+ | </VirtualHost> | ||
+ | </file> | ||
+ | |||
+ | SSL Modul aktivieren: | ||
+ | a2enmod ssl | ||
+ | |||
+ | SSL Konfiguration aktivieren: | ||
+ | a2ensite default-ssl | ||
+ | |||
+ | Konfiguration prüfen: | ||
+ | apache2ctl configtest | ||
+ | apache2ctl -S | ||
+ | |||
+ | Dienst neu starten: | ||
+ | service apache2 restart | ||
+ | |||
+ | ==== CentOS 5 ==== | ||
+ | yum install mod_ssl | ||
+ | ''/etc/httpd/conf.d/ssl.conf'' : | ||
+ | <file> | ||
+ | SSLCertificateFile /etc/pki/tls/certs/server.crt | ||
+ | SSLCertificateKeyFile /etc/pki/tls/private/server.key | ||
+ | SSLCaCertificateFile /etc/ssl/ssl.crt/ca.crt | ||
+ | SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem | ||
+ | </file> | ||
+ | |||
+ | /etc/init.d/httpd restart | ||
+ | |||
+ | === Konfiguration prüfen === | ||
+ | apachectl configtest | ||
+ | apachectl -S | ||
+ | |||
+ | ===== SSLCaCertificateFile ===== | ||
+ | Für "offizielle" Zertifikate braucht man zusätzlich noch einen Eintrag für die CA: ''SSLCaCertificateFile''. Und zusätzlich bis Apache Version 2.4.8 ''SSLCertificateChainFile''. Was gebraucht wird und was die beiden Dateien enthalten sollte in der Dokumentation des Herausgebers (der CA) des Zertifikats stehen. | ||
+ | (( | ||
+ | Mehr dazu: | ||
+ | * http://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile )) | ||
+ | * http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcacertificatefile | ||
+ | * http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile | ||
+ | )) | ||
+ | |||
+ | ===== Testen ===== | ||
+ | lsof -i :443 | ||
+ | openssl s_client -connect localhost:443 -showcerts | ||
+ | |||
+ | ====== SSL/TLS und name based virtual hosts ====== | ||
+ | Vorraussetzung: wie in [[ssl| SSL Zertifikat]] beschrieben eine CA erstellt | ||
+ | ===== Zertifikat ===== | ||
+ | //Dieser Schritt ist bei GnuTLS nicht nötig, da GnuTLS schon bei der Erstellung von Zertifikaten nach mehreren Domain-Namen fragt// | ||
+ | ==== Server-Zertifikat beantragen ==== | ||
+ | Als root: | ||
+ | cd | ||
+ | mkdir server-ssl | ||
+ | cp -a /etc/ssl/openssl.cnf server-ssl/config | ||
+ | |||
+ | Antrag und Schluessel fuer Server erzeugen: | ||
+ | ''server-ssl/config'' : | ||
+ | <file> | ||
+ | [req] | ||
+ | |||
+ | req_extensions = v3_req | ||
+ | |||
+ | [ v3_req ] | ||
+ | subjectAltName=DNS:notebook07.linuxhotel.de,DNS:iw.linuxhotel.de | ||
+ | </file> | ||
+ | |||
+ | openssl req -new -newkey rsa:2048 -nodes -config server-ssl/config -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.pem | ||
+ | <file> | ||
+ | Common Name (eg, YOUR name) []:notebook32.linuxhotel.de | ||
+ | Email Address []:root@notebook32.linuxhotel.de | ||
+ | </file> | ||
+ | |||
+ | Pruefen ob Antrag und Schluessel ok sind: | ||
+ | openssl req -in server-ssl/serverreq.pem -noout -verify -key server-ssl/serverkey.pem | ||
+ | |||
+ | Antrag ansehen: | ||
+ | openssl req -in server-ssl/serverreq.pem -noout -text | grep -A1 X509v3 | ||
+ | |||
+ | Antrag zum Nutzer ca kopieren: | ||
+ | cp server-ssl/serverreq.pem /home/ca | ||
+ | |||
+ | ==== Als Nutzer ca Server-Zertifikat unterschreiben ==== | ||
+ | su - ca | ||
+ | cp -a /etc/ssl/openssl.cnf ca.linuxhotel.de | ||
+ | |||
+ | ''ca.linuxhotel.de/openssl.cnf'' : | ||
+ | <file> | ||
+ | [ CA_default ] | ||
+ | copy_extensions = copy | ||
+ | x509_extensions = usr_cert | ||
+ | |||
+ | [ usr_cert ] | ||
+ | basicConstraints=CA:FALSE | ||
+ | </file> | ||
+ | |||
+ | openssl ca -in serverreq.pem -config ca.linuxhotel.de/openssl.cnf -out servercert.pem | ||
+ | |||
+ | Zertifikat ansehen: | ||
+ | openssl x509 -in servercert.pem -text | grep -A1 X509v3 | ||
+ | |||
+ | ===== Apache Konfiguration ===== | ||
+ | ==== Anfragen auf https:// umleiten ==== | ||
+ | a2enmod rewrite | ||
+ | cd /etc/apache2 | ||
+ | ''sites-available/default'' : | ||
+ | <file> | ||
+ | <IfModule mod_rewrite.c> | ||
+ | RewriteEngine On | ||
+ | RewriteCond %{HTTPS} !=on | ||
+ | RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] | ||
+ | </IfModule> | ||
+ | </file> | ||
+ | |||
+ | ==== Alle virtual hosts umstellen ==== | ||
+ | ''sites-available/default'' : | ||
+ | <file> | ||
+ | NameVirtualHost *:443 | ||
+ | <VirtualHost _default_:443> | ||
+ | </file> | ||
+ | |||
+ | ''sites-available/*'' : | ||
+ | <file> | ||
+ | <VirtualHost *:443> | ||
+ | </file> | ||
+ | |||
+ | ====== Dokumentation ====== | ||
+ | * [[ http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html | CentOS 5 ]] | ||
+ | * [[ http://httpd.apache.org/docs/2.2/ssl | apache httpd und SSL/TLS]] | ||
+ | * [[ http://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf | SSL und name based virtual hosts ]] | ||
+ | * [[ http://en.wikipedia.org/wiki/Server_Name_Indication | Server Name Indication - Lösung für name based virtual hosts ]] | ||