July 6, 2019 at 14:09How to configure HTTPS - SSL Configuration Generator will help
We’re talking about the SSL configuration tool that Mozilla developed.
Under the cut - about its capabilities and other utilities for setting up sites. Photos - Lai Man Nung - Unsplash
Before moving on to the story about the capabilities of the tool, let's talk about its purpose. When working with HTTPS, encryption is used in four cases : during key exchange, in SSL certificates , when sending messages and compiling a hash sum ( digest ).
Each of them uses different sets of algorithms, which the client and server agree on. They choose an asymmetric cipher for a “handshake,” a symmetric cipher for encoding messages, and a hashing algorithm for the digest.
For example, the ECDHE-ECDSA-CHACHA20-POLY1305 cipher suite means that the key exchange takes place according to the Diffie-Hellman protocol on elliptic curves ( ECDHE ). This uses ephemeral keys(disposable) to establish only one connection. The certification authority signed the certificate using the Elliptic Curve Digital Signature Algorithm ( ECDSA ), and the in-line ChaCha20 algorithm is used to encrypt messages . POLY1305, which computes a 16-byte authenticator , is responsible for their integrity .
A complete list of all available combinations of algorithms can be found on the Mozilla wiki page .
There are special tools on the network to configure the cryptographic methods used by the server. This functionality has SSL Configuration Generator , developed in Mozilla.
Mozilla offers three recommended configurations for servers using TLS:
For example, in the first case, the generator uses the AES128 / 256 encryption algorithm , the SHA256 / 384 hash algorithm, and the mode of operation of the symmetric block ciphers GCM . Here is an example of a cipher suite: TLS_AES_256_GCM_SHA384.
In the second case, the number of ciphers used is much larger, since many of them have been excluded from TLS 1.3 to increase security. Plus, the TLS 1.3 cipher suite does not describe the type of certificate and key exchange mechanism. Therefore, in the intermediate configuration there is a Diffie-Hellman protocol with ephemeral keys and RSA .
Based on these requirements, the SSL Configuration Generator builds a configuration file (OpenSSL). When building, you can choose the necessary server software: Apache, HAProxy, MySQL, nginx, PostgreSQL and five others. Here is an example of a modern configuration for Apache:
Generated configurations can be used in your project, you just need to edit the certificate and private key paths and load the settings. However, as one of the Hacker News residents says , it is important to pay attention to the server version in order to get the correct results. In particular, the output for nginx 1.0 and nginx 1.4 is significantly different. There is also an opinion that in some cases it will be necessary to manually correct part of the generated cipher suites in order to maintain backward compatibility and get high marks in the benchmarks for crawling sites.
There are several utilities in the Mozilla portfolio that can help you verify the reliability of a resource after configuring SSL.
The first is the Mozilla Observatory . Initially, the company developed a tool to check the security of its own domains. Now it is available to everyone along with the source code . Observatory scans sites for the most popular vulnerabilities, among them: potentially dangerous cookies , XSS vulnerabilities and redirects . After scanning the system gives a set of recommendations to improve the security of the Internet resource.
Photos - sebastiaan stam - Unsplash
Another useful tool - Firefox Monitor. It monitors the latest data leaks and sends notifications if information from any site fell into the hands of hackers. Thus, administrators get the opportunity to quickly take action, minimize damage and make sure that the story does not happen again in the future.
Under the cut - about its capabilities and other utilities for setting up sites. Photos - Lai Man Nung - Unsplash
Why do I need a generator
Before moving on to the story about the capabilities of the tool, let's talk about its purpose. When working with HTTPS, encryption is used in four cases : during key exchange, in SSL certificates , when sending messages and compiling a hash sum ( digest ).
Each of them uses different sets of algorithms, which the client and server agree on. They choose an asymmetric cipher for a “handshake,” a symmetric cipher for encoding messages, and a hashing algorithm for the digest.
For example, the ECDHE-ECDSA-CHACHA20-POLY1305 cipher suite means that the key exchange takes place according to the Diffie-Hellman protocol on elliptic curves ( ECDHE ). This uses ephemeral keys(disposable) to establish only one connection. The certification authority signed the certificate using the Elliptic Curve Digital Signature Algorithm ( ECDSA ), and the in-line ChaCha20 algorithm is used to encrypt messages . POLY1305, which computes a 16-byte authenticator , is responsible for their integrity .
A complete list of all available combinations of algorithms can be found on the Mozilla wiki page .
There are special tools on the network to configure the cryptographic methods used by the server. This functionality has SSL Configuration Generator , developed in Mozilla.
What is he like
Mozilla offers three recommended configurations for servers using TLS:
- Modern - for working with clients using TLS 1.3 without backward compatibility.
- Intermediate - Recommended configuration for most servers.
- Deprecated - access to the service is carried out using old clients or libraries, such as IE8, Java 6 or OpenSSL 0.9.8.
For example, in the first case, the generator uses the AES128 / 256 encryption algorithm , the SHA256 / 384 hash algorithm, and the mode of operation of the symmetric block ciphers GCM . Here is an example of a cipher suite: TLS_AES_256_GCM_SHA384.
In the second case, the number of ciphers used is much larger, since many of them have been excluded from TLS 1.3 to increase security. Plus, the TLS 1.3 cipher suite does not describe the type of certificate and key exchange mechanism. Therefore, in the intermediate configuration there is a Diffie-Hellman protocol with ephemeral keys and RSA .
Based on these requirements, the SSL Configuration Generator builds a configuration file (OpenSSL). When building, you can choose the necessary server software: Apache, HAProxy, MySQL, nginx, PostgreSQL and five others. Here is an example of a modern configuration for Apache:
# generated 2019-07-04, https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern
# requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
SSLEngine on
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs
SSLCertificateKeyFile /path/to/private_key
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Generated configurations can be used in your project, you just need to edit the certificate and private key paths and load the settings. However, as one of the Hacker News residents says , it is important to pay attention to the server version in order to get the correct results. In particular, the output for nginx 1.0 and nginx 1.4 is significantly different. There is also an opinion that in some cases it will be necessary to manually correct part of the generated cipher suites in order to maintain backward compatibility and get high marks in the benchmarks for crawling sites.
What other utilities will help with site protection?
There are several utilities in the Mozilla portfolio that can help you verify the reliability of a resource after configuring SSL.
The first is the Mozilla Observatory . Initially, the company developed a tool to check the security of its own domains. Now it is available to everyone along with the source code . Observatory scans sites for the most popular vulnerabilities, among them: potentially dangerous cookies , XSS vulnerabilities and redirects . After scanning the system gives a set of recommendations to improve the security of the Internet resource.
Photos - sebastiaan stam - Unsplash
Another useful tool - Firefox Monitor. It monitors the latest data leaks and sends notifications if information from any site fell into the hands of hackers. Thus, administrators get the opportunity to quickly take action, minimize damage and make sure that the story does not happen again in the future.
Our publications from blogs and social networks:How to protect a virtual server on the Internet
Mobile-first indexing from July 1 - how to check your site?
How to evaluate storage performance on Linux: benchmarking using open tools