SSL and TLS

From Lolly's Wiki
Revision as of 11:46, 18 August 2015 by Lollypop (talk | contribs)
Jump to navigationJump to search

Kategorie: Security

HTTPS

HSTS - HTTP Strict Transport Security

<VirtualHost <host>:443>
    ...
    Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;"
    ...
</VirtualHost>

You need to enable the headers module in Apache. On Ubuntu just do:

# sudo a2enmod headers

The max-age is entered in seconds:

$ bc -l
31556926/(60*60*24)
365.24219907407407407407

So this value is a year as seconds.

What changes when we set this header and the browser understands it? The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains includeSubDomains; subdomains are treated like this as well.

Links:

HPKP - HTTP Public Key Pinning

A helpful script to create the hashes was made by Hanno Böck and is accessible at Github.

I added a create option which makes the script more comfortable for me at Github, too.

The public key pins for this site are created like this:

# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................................................................................++
..........................................................................................................................................................................................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
..................................................++
..........................................++
e is 65537 (0x10001)
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";"

At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.

<VirtualHost lars.timmann.de:443>
    ...
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3
    SSLCompression off
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/timmann.de-wildcard.pem
    SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key
    Header always set Strict-Transport-Security "max-age=31556926;"
    Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";"
    ...
</VirtualHost>

You need to enable the headers module in Apache. On Ubuntu just do:

# sudo a2enmod headers