SSL and TLS: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Lollypop verschob Seite SSL nach SSL and TLS: Name not good) |
No edit summary |
||
| Line 2: | Line 2: | ||
==HTTPS== | ==HTTPS== | ||
===HSTS - HTTP Strict Transport Security=== | ===HSTS - HTTP Strict Transport Security=== | ||
<source lang=apache> | |||
<VirtualHost <host>:443> | |||
... | |||
Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;" | |||
... | |||
</VirtualHost> | |||
</source> | |||
You need to enable the headers module in Apache. | |||
On Ubuntu just do: | |||
<source lang=bash> | |||
# sudo a2enmod headers | |||
</source> | |||
The max-age is entered in seconds: | |||
<source lang=bash> | |||
$ bc -l | |||
31556926/(60*60*24) | |||
365.24219907407407407407 | |||
</source> | |||
So this value is a year as seconds. | |||
What changes when we set this header and the browser understands it? | |||
The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains ''includeSubDomains;'' subdomains are treated like this as well. | |||
Links: | |||
* [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS at Wikipedia (English)] | * [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS at Wikipedia (English)] | ||
* [https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (German)] | * [https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (German)] | ||
| Line 15: | Line 40: | ||
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de | # /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de | ||
Generating RSA private key, 4096 bit long modulus | Generating RSA private key, 4096 bit long modulus | ||
..............................++ | ..................................................................................................................................................................................................................++ | ||
..........................................++ | ..........................................................................................................................................................................................++ | ||
e is 65537 (0x10001) | e is 65537 (0x10001) | ||
Generating RSA private key, 4096 bit long modulus | Generating RSA private key, 4096 bit long modulus | ||
..................................................++ | |||
..........................................++ | |||
e is 65537 (0x10001) | e is 65537 (0x10001) | ||
Header always set Strict-Transport-Security "max-age=31556926;" | Header always set Strict-Transport-Security "max-age=31556926;" | ||
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\" | Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";" | ||
</source> | </source> | ||
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. | At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. | ||
<source lang=apache> | <source lang=apache> | ||
Revision as of 11:46, 18 August 2015
HTTPS
HSTS - HTTP Strict Transport Security
<VirtualHost <host>:443>
...
Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;"
...
</VirtualHost>
You need to enable the headers module in Apache. On Ubuntu just do:
# sudo a2enmod headers
The max-age is entered in seconds:
$ bc -l
31556926/(60*60*24)
365.24219907407407407407
So this value is a year as seconds.
What changes when we set this header and the browser understands it? The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains includeSubDomains; subdomains are treated like this as well.
Links:
HPKP - HTTP Public Key Pinning
A helpful script to create the hashes was made by Hanno Böck and is accessible at Github.
I added a create option which makes the script more comfortable for me at Github, too.
The public key pins for this site are created like this:
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................................................................................++
..........................................................................................................................................................................................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
..................................................++
..........................................++
e is 65537 (0x10001)
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";"
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.
<VirtualHost lars.timmann.de:443>
...
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/timmann.de-wildcard.pem
SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";"
...
</VirtualHost>
You need to enable the headers module in Apache. On Ubuntu just do:
# sudo a2enmod headers
