Installing Dual TLS Certificates and Running TLS
Steps Toward The Goal
On earlier pages I showed how to set up a
Google Compute Engine
virtual machine, run FreeBSD,
and set up a basic Apache/PHP web server.
Now let's set up HTTPS!
On this page I will:
1: Set up both RSA and ECC key pairs.
2: Obtain Let's Encrypt certificates for both.
3: Set up automatic renewal.
On the final page I will tune the Apache HTTP headers.
Why TLS?
TLS, the successor to SSL, authenticates a web server and provides confidentiality and integrity of the data.
Try Google Cloud Platform and receive $50In July 2018, Google's Chrome browser began marking HTTP pages as Not Secure. Google had warned the previous year that Chrome would eventually do this. Once Chrome does something, the other browsers quickly follow.
Google also announced back in 2014 that HTTPS already had a slight effect on a page's rank in search results, and the weight would probably increase. In other words, if you don't run HTTPS, you will be ranked lower in search results. Similarly, once Google's search algorithm starts doing something, the other search engines follow.
So, even if a web site is purely informational, you still want to set up TLS.
Public-Key Security
How RSA WorksAsymmetric cryptography, also called public-key cryptography, bases its security on a trapdoor function. That's a function that is easy to compute in one direction but enormously difficult to compute in the opposite direction. RSA, which was developed in the late 1970s, relies on the difficulty of factoring the product of two very large prime numbers.
It is easy to multiply integers, even ones with hundreds of digits, but it is impractically difficult to start with such a product and figure out which two large prime numbers went into it.
Peter Shor's initial publication of his algorithm, 1994 An update to Shor's original paper, 1995 Increasing the speed of Shor's algorithm, 1998Then people worried: what if someone develops a general-purpose quantum computer? Shor's Algorithm could quickly factor very large numbers if you have such a platform on which to run it.
Around this time, people were starting to use mobile devices for Internet access, but smart phones with fast multi-core CPUs had not yet appeared.
How ECC WorksSo, Elliptic Curve Cryptography or ECC suddenly became popular. Its trapdoor function is based on a discrete logarithm, entirely different from RSA's factoring. Analysis by NSA and NIST showed that ECC provides equal security with much smaller keys than RSA, requiring much less computation.
So, there were two advantages for ECC: much higher performance, and expected resistance to sudden obsolescence when quantum computers appear. Certificate authorities began issuing dual certificates for sites: one based on ECC which newer clients would prefer for performance, and RSA as a fall-back.
Since then, cryptographers have discovered that ECC will be slightly more susceptible than RSA to attack by quantum computers. But ECC still has a performance advantage.
Let's Encrypt
Let's Encrypt is a certificate authority founded by the Electronic Frontier Foundation, the Mozilla Foundation, the University of Michigan, Akamai Technologies, and Cisco Corporation.
The Let's Encrypt CA gives you a certificate that's good for 90 days. The short certificate lifetime makes automated renewal important.
FreeBSDand Linux
Package
Management
ACME,
the Automated Certificate Management Environment,
is a protocol for interacting with the Let's Encrypt CA.
You use the certbot program
to carry out the various steps.
Install the py37-certbot package
to get it.
Preparing to Create Key Pairs and Certificates
First, edit the OpenSSL configuration.
Edit the file /etc/ssl/openssl.cnf.
Search for the string v3_req
and make sure that this line isn't commented out:
req_extensions = v3_req
Search for the next instance of v3_req,
which will be a section header.
Again, uncomment it if needed.
[ v3_req ]
Add or uncomment a following subjectAltName
line in that section, and add a tlsfeature line.
Then, before the start of the next section, add a new
alt_name section in which you define
the alternative names you want included in your certificate.
The result should be something like the following,
my additions are highlighted:
[... many lines deleted ...] # Extensions to add to any X.509v3 certificate request [ v3_req ] # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Support multiple alternative names. subjectAltName = @alt_names # Support OCSP Must-Staple. tlsfeature = status_request [ alt_names ] DNS.1 = www.cromwell-intl.com DNS.2 = cromwell-intl.com DNS.3 = ftp.cromwell-intl.com [... many lines deleted ...]
The old way of supporting OCSP Must-Staple required a
cryptic line:
1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05
See
Scott Helm's site
for an explanation of the security advantages of
OCSP Must-Staple, and the meaning of the old syntax.
Creating the RSA Key Pair and Certificate
You can use the certbot command
to create an RSA key pair.
But it's unneccesarily confusing — the
renew subcommand actually creates a new
key pair rather than renewing anything.
And, we'll need to use the openssl command
to generate the elliptic-curve keys.
So, let's keep it simple.
Now, let's generate a 4096-bit RSA key pair.
The result goes into a file named rsa-privkey.pem.
The actual file names, including any dotted suffix,
don't actually matter.
But settle on some pattern that makes sense to you.
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 \ -out rsa-privkey.pem
That file is commonly called the "private key file", although it contains much more — the modulus or public key, the public exponent, the private exponent, both primes, two exponent terms, and a coefficient. Check the results with this command:
# openssl rsa -noout -text \ -in rsa-privkey.pem | less RSA Private-Key: (4096 bit, 2 primes) modulus: [... 35 lines omitted ...] publicExponent: 65537 (0x10001) privateExponent: [... 35 lines omitted ...] prime1 [... 18 lines omitted ...] prime2: [... 18 lines omitted ...] exponent1: [... 18 lines omitted ...] exponent2: [... 18 lines omitted ...] coefficient: [... 17 lines omitted ...]
Now we'll create a
certificate-signing request or CSR.
It will ask us for some metadata —
two-character country code, state or province,
locality, and so on.
The result goes into a file named rsa-csr.pem.
# openssl req -new \ -key rsa-privkey.pem \ -out rsa-csr.pem
You could automate the process and avoid the interactive questions by defining a long Subject string on the command line. Note that you must escape embedded spaces. Here I'm leaving Organizational Unit empty, just "." for "OU".
# openssl req -new \ -key rsa-privkey.pem \ -subj "/C=US/ST=Indiana/L=West\ Lafayette/O=Cromwell\ International/OU=./CN=cromwell-intl.com/" -outform pem -out rsa-csr.pem
You can check the results with the following command.
Your should see what you intended in the Subject field
near the top, your multiple host names in the Subject
Alternative Name field, and the TLS Feature
status_request.
# openssl req -noout -text \ -in rsa-csr.pem | less
The Let's Encrypt certbot package creates a
directory structure.
On FreeBSD it's in /usr/local/etc/letsencrypt,
let's not fight with it.
It includes a subdirectory accounts where
you store your account information.
Let's put our private key file and certificate signing
request into their intended locations.
# mv rsa-privkey.pem /usr/local/etc/letsencrypt/keys # mv rsa-csr.pem /usr/local/etc/letsencrypt/csr
We'll get started on the elliptic-curve keys and then come back and ask for the certificates.
Creating the ECC Key Pairs
Now I will create an ECC private key and certificate.
You need a reasonably recent version of openssl.
See what yours is capable of:
$ openssl ecparam -list_curves | lessUnderstanding
Elliptic-Curve
Cryptography
I will use
elliptic curve P-384,
designated secp384r1.
That is the strongest elliptic curve included in
NSA Suite B cryptography, and therefore many people interpret
that to mean they should not use secp521r1.
Browsers support secp384r1,
but some of them no longer support secp521r1.
Also note that the NSA Suite B Cryptography and its
replacement the
Commercial National Security Algorithm Suite
have specified that Elliptic-Curve Diffie-Hellman
and Elliptic-Curve Digital Signature Algorithm
(ECDH and ECDSA) with curve P-384, designated
secp384r1, are adequate to protect
US National Security Systems information up to the
Top Secret level.
That's good enough for my purposes.
See the U.S. NIST SP 800-57
"Recommendation
for Key Management"
for the secp384r1 definition, and this
comparison of key lengths needed for approximately
equal resistance to brute-force attack:
| Security Strength |
Symmetric (3DES, AES) |
Asymmetric (RSA, DSA) |
Elliptic Curve |
| 80 | 80 | 1024 | 160 |
| 112 | 112 | 2048 | 224 |
| 128 | 128 | 3072 | 256 |
| 192 | 192 | 7680 | 384 |
| 256 | 256 | 15,360 | 521 |
Yes, that's 521 in the above table. Earlier versions of the document explicitly said "521". Its revision 5 instead says "512+". US NIST SP 800-56A lists these curves, defined in RFC 4492:
|
FIPS 186-4 SP 800-56A |
TLS / RFC 4492 SP 800-52 |
IPsec with IKEv2 RFC 5903 |
Strength (bits) |
| P-224 | secp224r1 | — | 112 |
| P-256 | secp256r1 | secp256r1 | 112–128 |
| P-384 | secp384r1 | secp384r1 | 112–192 |
| P-521 | secp521r1 | secp521r1 | 112–256 |
| K-233 | sect233k1 | — | 112–128 |
| K-283 | sect283k1 | — | 112–128 |
| K-409 | sect409k1 | — | 112–192 |
| K-571 | sect571k1 | — | 112–256 |
| B-233 | sect233r1 | — | 112–128 |
| B-283 | sect283r1 | — | 112–128 |
| B-409 | sect409r1 | — | 112–192 |
| B-571 | sect571r1 | — | 112–256 |
Qualys, also known as SSL Labs, provides a
browser test.
Scroll down to the "Protocol Features" section,
then within "Protocol Details" look for
"Named Groups".
On Chrome I see the following.
GREASE is an extension intended to detect
server compatability issues and drive their repair.
It's intentionally not a defined group.
See its description in
RFC 8701.
It is an
IETF draft standard.
It will be reported as tls_grease_caca
or similar, the last four characters hexadecimal in the form
*a*a.
Named Groups tls_grease_caca, x25519, secp256r1, secp384r1
On Firefox I see the following. Notice that Firefox still supports curve secp521r1:
Named Groups x25519, secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072
On the browser built into Android on my phone I see the same thing I see on Chrome:
Named Groups tls_grease_aaaa, x25519, secp256r1, secp384r1
On
lynx
I see:
Named Groups secp256r1, secp384r1, secp521r1, x25519, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
On Safari you see secp521r1 similar to Firefox
and Lynx, and GREASE similar to Chrome.
Named Groups tls_grease_1a1a, x25519, secp256r1, secp384r1, secp521r1
secp384r1
is the strongest curve supported by
all modern browser clients.
My server prefers the order:
ssl_ecdh_curve X25519:secp521r1:secp384r1;
It seems that a fleet of *.search.msn.com
indexing bots are about the only clients that use
secp384r1.
Let's generate a secp384r1 elliptic-curve key pair.
# openssl ecparam -genkey -name secp384r1 | \ openssl ec -out ecc-privkey.pem
You can check the results with this command:
# openssl ec -noout -text -in ecc-privkey.pem
Now I can generate the CSR:
# openssl req -new \ -key ecc-privkey.pem \ -subj "/C=US/ST=Indiana/L=West\ Lafayette/O=Cromwell\ International/OU=./CN=cromwell-intl.com/" -outform pem -out ecc-csr.pem
You can check the results.
Your should again see your intended Subject,
Alternative Names and status_request.
# openssl req -noout -text -in ecc-csr.pem
Now we'll store those files.
# mv ecc-privkey.pem /usr/local/etc/letsencrypt/keys # mv ecc-csr.pem /usr/local/etc/letsencrypt/csr
Organizing the Files
The certbot package created subdirectories
named archive and live,
and a subdirectory within each of those named
for my domain.
Some of that was created when I initially experimented
with the renew subcommand.
Here's how I ended up renaming, duplicating, and
repurposing those directories.
All of this is under the letsencrypt
directory, subdirectories under
/usr/local/etc/letsencrypt:
accounts/
My Let's Encrypt account definitions.
csrs/
Certificate Signing Request files.
keys/
Private key files.
ecc-live/cromwell-intl.com/
Elliptic-curve key and certificate files.
rsa-live/cromwell-intl.com/
RSA key and certificate files.
Plus several unused areas:
ecc-archive/
renewal/
renewal-hooks/
rsa-archive/
I copied the private key files into place.
# cp /usr/local/etc/letsencrypt/keys/ecc-privkey.pem \ /usr/local/etc/letsencrypt/ecc-live/cromwell-intl.com/privkey.pem # cp /usr/local/etc/letsencrypt/keys/rsa-privkey.pem \ /usr/local/etc/letsencrypt/rsa-live/cromwell-intl.com/privkey.pem
Now we're ready to create the certificates.
Creating the Certificates
I initially ran the certbot commands
and moved files around by hand.
Once I had it working, I created the following
script that cron runs every Friday morning:
#!/bin/sh
LOGFILE=/root/certbot-output
echo '' > $LOGFILE
for keytype in ecc rsa
do
echo "$keytype renewal ====================================" >> $LOGFILE
certbot certonly --non-interactive --webroot \
-w /usr/local/www/htdocs \
-d cromwell-intl.com -d www.cromwell-intl.com \
--email bob.cromwell@comcast.net \
--csr /usr/local/etc/letsencrypt/csr/${keytype}-csr.pem \
--agree-tos >> $LOGFILE 2>&1
echo "Installing files ===============================" >> $LOGFILE
STORAGE=/usr/local/etc/letsencrypt/${keytype}-live/cromwell-intl.com
# The certificate itself:
mv -fv 0000_cert.pem $STORAGE/cert.pem >> $LOGFILE
# The signing chain:
mv -fv 0000_chain.pem $STORAGE/chain.pem >> $LOGFILE
# The full chain including our certificate:
mv -fv 0001_chain.pem $STORAGE/fullchain.pem >> $LOGFILE
done
echo "Nginx restart =================================" >> $LOGFILE
pkill nginx ; sleep 3 ; pkill nginx
/usr/local/etc/rc.d/php-fpm stop >> $LOGFILE 2>&1
/usr/local/etc/rc.d/php-fpm start >> $LOGFILE 2>&1
/usr/local/nginx/sbin/nginx -t >> $LOGFILE 2>&1
/usr/local/nginx/sbin/nginx >> $LOGFILE 2>&1
Be careful developing your solution
You can only request 5 duplicate certificates per week. So, develop any scripts with the certificate renewals commented out, until you're pretty sure that it's going to work. See the rate limit documentation for details.
Enabling HTTPS
httpd.conf, the Apache configuration file,
contains the following:
# Put these directives at the global level: LoadModule ssl_module libexec/apache24/mod_ssl.so Listen 443 # Put these within individual VirtualHost stanzas # if you are hosting several sites on one server. <VirtualHost *:443> ServerName cromwell-intl.com SSLEngine on # ECC secp384r1 SSLCertificateFile "/usr/local/etc/letsencrypt/ecc-live/cromwell-intl.com/fullchain.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/ecc-live/cromwell-intl.com/privkey.pem" # RSA SSLCertificateFile "/usr/local/etc/letsencrypt/rsa-live/cromwell-intl.com/fullchain.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/rsa-live/cromwell-intl.com/privkey.pem" </VirtualHost>
Examining the Certificates
We can use the openssl tool to parse
and display the certificates.
I use PHP to run the command on the actual file
and insert the output here:
# openssl x509 -noout -text -in ecc-live/cromwell-intl.com/cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:72:ab:23:ea:1b:fc:93:63:a1:fd:5d:f6:1e:ff:66:e9:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Nov 7 07:40:11 2022 GMT
Not After : Feb 5 07:40:10 2023 GMT
Subject: CN = cromwell-intl.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:d2:ef:ad:da:c1:7e:4d:4b:72:49:cd:e2:d5:94:
94:79:4a:81:09:63:cd:7d:44:07:4e:c3:54:48:fc:
4b:f8:5c:d3:46:3e:54:a1:9a:e3:03:68:24:39:61:
6c:ac:a8:b6:d1:64:fd:2a:b9:af:79:b8:d5:ef:c0:
37:b4:82:28:9a:26:2b:0f:24:85:1f:77:28:9f:e1:
f3:ca:77:42:20:49:f7:8c:01:f1:aa:05:66:e4:99:
46:09:0a:ca:c4:7e:eb
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
5D:E6:23:16:41:3F:E9:A0:4B:42:52:12:10:6B:90:63:01:B4:87:94
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:alt.cromwell-intl.com, DNS:cromwell-intl.com, DNS:www.cromwell-intl.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
Timestamp : Nov 7 08:40:11.486 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:C3:BD:12:E0:D5:2B:C4:5B:C9:DD:71:
C0:38:85:AF:A3:BF:BE:FA:E1:C1:D3:45:F7:31:1B:00:
F5:0E:51:1B:60:02:21:00:EA:8D:0D:14:4A:EC:76:74:
1A:45:40:70:67:FD:E5:C3:B4:E5:79:DC:F0:CB:28:4F:
DB:34:01:BB:03:A0:AA:9A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Nov 7 08:40:11.989 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:82:D8:44:C9:96:26:7F:90:79:53:80:
F0:0F:A6:60:09:CE:AE:CE:B3:0E:6F:7B:05:42:40:CF:
AD:29:15:49:BB:02:20:01:BF:AF:83:34:96:ED:30:40:
35:E1:6B:42:E7:CE:E7:0B:0A:D1:62:85:4A:11:F9:06:
2B:4D:AD:9A:5A:C4:A9
TLS Feature:
status_request
Signature Algorithm: sha256WithRSAEncryption
3c:27:88:c2:88:c1:94:22:84:d7:a8:49:b6:53:e4:5a:6f:46:
9f:ec:fc:86:02:e7:5a:ee:1c:45:c4:9c:cc:62:64:f6:d5:90:
9e:d2:32:1a:0a:8a:8c:16:32:45:78:4f:db:fb:d3:27:5b:3f:
a2:6d:0f:80:8c:56:67:38:6a:45:c3:50:5c:42:e4:28:99:eb:
4e:af:91:62:0d:15:cc:4f:78:c0:2c:d0:97:84:c7:3a:65:87:
7a:bf:56:0a:58:e0:4d:af:66:82:f4:3b:e6:bf:3f:6d:1d:93:
f2:fc:a6:6d:06:a0:2b:5f:be:b2:ac:df:ec:d7:a7:ae:bc:11:
f9:57:5b:85:5a:f4:55:68:b3:8c:a2:40:40:73:49:3b:19:f5:
8b:e7:5e:eb:cb:de:c6:14:f5:05:a3:d5:7d:76:9a:3d:f5:f1:
c0:27:7d:e8:5e:54:27:f7:3d:44:d4:9a:dd:ab:cd:40:41:6c:
59:af:66:9b:45:e9:1f:b1:f9:1c:8b:0d:f0:a1:38:81:04:60:
2a:6b:b9:d2:c9:b2:52:d6:09:46:07:02:2d:ee:7d:e2:6a:db:
03:1e:66:4e:bc:07:2b:6f:9c:b6:3a:1a:aa:20:b0:08:2d:bd:
ea:88:88:f5:21:fa:72:28:18:1c:5c:1d:a7:75:e4:35:83:89:
39:6d:0f:92
# openssl x509 -noout -text -in rsa-live/cromwell-intl.com/cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:7f:88:5b:b9:3c:a1:a1:7a:77:14:7f:14:cf:32:ff:af:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Nov 7 07:40:14 2022 GMT
Not After : Feb 5 07:40:13 2023 GMT
Subject: CN = cromwell-intl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:af:55:1e:44:f3:ce:fc:53:19:61:e4:b9:c8:ef:
90:74:a6:67:ad:64:86:4d:f9:8b:2e:1b:33:0f:6f:
69:fc:0f:5f:f4:50:3c:12:17:9d:fd:82:8d:ce:f3:
65:31:b2:a0:bd:d8:2a:57:11:0f:6b:c7:9a:a8:c6:
1f:ff:e9:e5:63:0b:57:b4:b1:18:2f:d0:7c:36:12:
5a:e5:d0:88:34:be:ee:71:7c:e3:81:10:f5:6d:36:
da:db:01:f0:4c:1e:bc:de:3c:a2:6b:7e:2b:62:c8:
8a:59:c8:6d:46:39:f4:61:6c:f8:05:c5:8f:65:2d:
60:f4:c2:94:0e:88:05:d2:82:d7:df:27:ad:cf:20:
11:54:75:53:67:b5:b7:b1:b2:05:a1:6f:9c:48:e2:
45:35:41:6f:c3:7c:1e:f3:a6:c2:0f:c7:bb:4c:7e:
57:11:88:b7:78:2d:f1:4c:67:93:2c:07:58:1f:07:
09:90:45:5a:d9:2c:29:4c:0e:4c:45:67:ca:f4:99:
59:17:92:82:78:af:61:44:22:fe:92:01:19:73:14:
87:7b:93:8b:cb:29:a7:9c:fa:31:e1:10:fa:b9:95:
5d:dc:74:81:cf:22:67:1a:72:d1:bd:6c:32:fb:db:
17:70:be:61:c0:3e:9e:4c:bb:da:e8:21:54:c4:6b:
21:e9:49:e7:d0:3b:b9:b8:ff:b6:ad:84:7f:86:63:
86:8e:31:55:2c:0a:3f:0b:cb:cc:b9:2c:01:49:bf:
16:27:97:b9:31:67:2d:93:40:2b:51:e7:d2:47:00:
11:88:0f:25:a9:8c:bb:96:c9:e0:8a:19:55:f7:f4:
2f:db:31:f8:9f:fc:9e:14:e2:62:6f:d8:c7:ea:2b:
fd:db:17:a4:9d:7a:4f:d1:0f:88:be:c8:72:c0:be:
85:a2:d7:aa:cb:04:1d:41:25:96:3d:58:40:f1:0f:
77:54:5d:23:2a:16:b8:3d:b1:b3:06:18:3f:5e:d9:
f4:a7:1d:9d:89:42:82:cc:e2:b1:44:26:7f:76:75:
15:d8:f0:a1:48:d2:b9:d7:df:d7:c4:79:1d:30:87:
11:22:a7:90:86:59:65:04:6d:fa:5c:1a:5b:a1:f9:
13:1f:33:53:18:4b:57:31:13:9e:37:56:97:38:8d:
2c:6f:ec:7e:a0:1c:3f:6e:63:de:c9:cf:dd:25:04:
f7:24:3c:f9:22:98:67:e8:fe:b0:a0:2a:ca:60:47:
35:f9:3d:52:a7:65:20:45:b0:f1:51:a0:2d:27:6a:
9a:9d:c2:a4:d1:2d:4d:16:68:aa:1c:63:b1:0c:13:
0f:0b:16:11:f2:b6:5f:e1:70:73:ca:3c:e1:5a:f0:
b5:18:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
4A:06:EC:9A:B3:72:B4:9D:A3:EA:21:21:6A:19:69:41:2F:D3:33:7D
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:alt.cromwell-intl.com, DNS:cromwell-intl.com, DNS:www.cromwell-intl.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Nov 7 08:40:14.554 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0A:5D:89:30:C0:BD:54:65:CF:0D:E3:6C:
C7:1B:B5:48:97:C3:CD:08:21:34:19:E3:2D:55:4E:0B:
02:5B:FF:D1:02:20:48:EE:F3:BB:F2:28:6D:DC:D3:ED:
AA:7E:25:68:22:E4:69:77:11:13:0D:7A:E0:C2:85:D1:
AD:DD:EE:E8:36:87
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
Timestamp : Nov 7 08:40:14.591 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:6D:F6:4F:3F:6A:38:ED:E0:10:43:36:C5:
63:03:21:4F:6B:CD:C4:C3:8F:FC:3D:9B:A1:C5:BA:7A:
B0:C0:99:E3:02:20:35:18:B8:2B:4F:A1:38:AF:A0:B8:
7B:EC:36:21:8A:58:E4:4F:15:8A:60:55:79:E8:DE:2E:
12:6E:06:20:D5:D6
TLS Feature:
status_request
Signature Algorithm: sha256WithRSAEncryption
91:c0:51:cd:9e:fa:20:c5:17:b8:34:8a:04:fe:91:f8:26:c5:
fc:13:68:27:09:34:2e:36:90:ea:ad:4b:05:5d:6a:80:4d:02:
f6:fd:e1:80:c8:77:dc:59:0c:2f:67:f8:a5:8e:af:ed:25:a8:
30:61:75:bf:79:ed:36:8b:38:d6:b8:16:84:0a:ce:66:c7:c9:
89:29:f9:1b:68:23:00:f5:2b:81:80:ab:f6:74:e3:0c:ca:f6:
f3:0f:a1:44:b8:49:19:82:dd:82:3b:d4:c7:c6:81:d2:35:1b:
d1:ac:35:19:ba:24:69:67:f1:34:af:54:c1:e5:bd:dd:d9:cb:
30:88:fb:e1:f9:a7:62:cf:e4:92:dc:a5:79:2d:e7:3b:36:cb:
03:86:7f:fa:63:d9:02:f8:07:63:6d:53:87:3d:e2:fb:ae:1e:
6c:b3:f8:41:2c:60:97:f2:6b:d4:0c:3d:40:03:b0:83:cb:c6:
f4:f7:72:6d:bc:81:fb:04:37:35:30:f5:c4:11:a4:b1:91:33:
01:9a:37:c7:9c:01:77:f1:24:e5:2b:77:6f:56:91:d1:67:bd:
e0:d3:29:5e:96:c5:0c:56:4c:7b:74:b1:f2:7e:c9:b3:24:4b:
77:a5:12:47:26:d6:e8:ac:4a:37:1b:e8:97:8d:cc:f0:ed:c1:
bc:36:ad:28
Initial Test
Restart Apache and verify that you can connect with both HTTP and HTTPS.
You could run a Qualys server test, but at this point it would probably get a "B" grade at best. We will tune the configuration, but first let's set up redirection.
Redirect to HTTPS and Remove "www."
The goal is to accept all connections, redirecting all
of these:
http://cromwell-intl.com/some/path/
http://www.cromwell-intl.com/some/path/
https://www.cromwell-intl.com/some/path/
to this:
https://cromwell-intl.com/some/path/
Add the following to your .htaccess file
in the root of the web site.
Bold shows additions here.
Don't duplicate the RewriteEngine line.
# Do NOT duplicate the following line if it # already exists earlier in the file. RewriteEngine on # Remove "www." and redirect HTTP to HTTPS # Use a standard variable and a tagged regular expression to # replace the URL with "https://", the host name, and the # path minus any leading "www.": RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://%1/$1 [R=301,L] # If they asked for the non-www name but with HTTP, # build a new HTTPS URL with the host name and path: RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # We added the following in an earlier step. # If the client asks for a non-existent *.html file, rewrite it so # the bad name isn't passed to the PHP engine causing a "Primary script # unknown" log entry and a plain "File not found" page. RewriteCond %{REQUEST_FILENAME} \.html$ RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f RewriteRule (.*) - [H=text/html]
Yes, I did the redirection with the site-specific
.htaccess file.
I could have instead done it with slightly different syntax
in the server-wide httpd.conf configuration file.
For the single site, given its size and traffic, I didn't
see a big advantage of one method over the other.
Now test all combinations of the redirections: http vs https, www. vs not, and include requests for nonexistent files and directories.
Improving the TLS Configuration
Mozilla Config Generator Apache SSL HowtoApache has a good SSL/TLS how-to document. Even more useful, Mozilla has a configuration generator. You select your server, its version, and your OpenSSL versions, and then you select the security profile.
Which security profile should you use? It depends...
Let's say you're setting up a server for use within your organization, and you have full control of the desktop systems and any portable laptops that could be used to connect in from outside. I recommend the strictest "Modern" profile for that case. All your client machines will need to be fairly current, but that should already be the case.
However, let's say that you want to be open to most all clients from the public. That's my situation. I have ads on my site. While it would be nice if everyone used up-to-date operating systems and browsers, I don't want to block or even inconvenience people with somewhat outdated platforms.
I used the "Intermediate" profile as a starting point.
Here is what I added toward the end of the
httpd.conf configuration file,
before and outside the VirtualHost stanza,
so it will apply to all virtually hosted web
sites I eventually set up on this server.
The cipher suite is usually one enormously long line
with no whitespace.
That's hard to read and much harder to modify,
so I prefer to split it across multiple lines.
Just make sure each backslash is the last character
on its line.
# TLS only, no SSL SSLProtocol all -SSLv2 -SSLv3 # Specify ciphers in a preferred order. I reordered what the configuration # generator gave me, putting better ciphers first. SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:\ ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES256-GCM-SHA384:\ ECDHE-RSA-AES256-GCM-SHA384:\ DHE-RSA-AES256-GCM-SHA384:\ ECDHE-ECDSA-AES128-GCM-SHA256:\ ECDHE-RSA-AES128-GCM-SHA256:\ DHE-RSA-AES128-GCM-SHA256:\ ECDHE-ECDSA-AES256-SHA384:\ ECDHE-ECDSA-AES128-SHA256:\ ECDHE-ECDSA-AES256-SHA:\ ECDHE-ECDSA-AES128-SHA:\ ECDHE-RSA-AES256-SHA384:\ ECDHE-RSA-AES128-SHA256:\ ECDHE-RSA-AES256-SHA:\ ECDHE-RSA-AES128-SHA:\ DHE-RSA-AES256-SHA256:\ DHE-RSA-AES128-SHA256:\ DHE-RSA-AES256-SHA:\ DHE-RSA-AES128-SHA:\ AES256-GCM-SHA384:\ AES128-GCM-SHA256:\ AES256-SHA256:\ AES128-SHA256:\ AES256-SHA:\ AES128-SHA:\ ECDHE-ECDSA-DES-CBC3-SHA:\ ECDHE-RSA-DES-CBC3-SHA:\ EDH-RSA-DES-CBC3-SHA:\ DES-CBC3-SHA:\ !DSS SSLHonorCipherOrder on # Disable compression and session tickets SSLCompression off SSLSessionTickets off # Enable OCSP Stapling LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" # Enable session resumption (caching). # However do not use large values. Large advertisers like # Google and Facebook use that to track users. Your site will # look suspicious if it does this. See, for example: # https://www.zdnet.com/article/advertisers-can-track-users-across-the-internet-via-tls-session-resumption/ # 300 seconds (5 minutes) seems reasonable. That's actually the # default, no need to specify that, but here's the syntax. SSLSessionCache "shmcb:logs/ssl_scache" SSLSessionCacheTimeout 300 # Insist on HSTS or HTTP Strict Transport Security Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
And with that, an A+ evaluation from the Qualys analyzer:
The server supports 3DES as a fallback position if none of the stronger ciphers are supported. That allows connections from IE 8 on XP. While 3DES is flagged in the report as weak, at least at the time that I did this it did not lower the score. Unlike RC4, which capped the grade at B at the time.
DNS CAA or Certification Authority Authorization provides a way to indicate in a DNS record just who is allowed to be a CA for the site. See this Qualys blog for details on what CAA is, and how the CA/Browser Forum has mandated its use.
Google Domains did not yet support CAA records when I started this project in July 2017, as you can see below. Google Cloud DNS, a different product, did.
By February 2018, they had added CAA records:
Let's test it:
$ dig @localhost cromwell-intl.com CAA
; <<>> DiG 9.10.6-P1 <<>> @localhost cromwell-intl.com CAA
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26186
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cromwell-intl.com. IN CAA
;; ANSWER SECTION:
cromwell-intl.com. 3570 IN CAA 128 issue "letsencrypt.org"
;; AUTHORITY SECTION:
cromwell-intl.com. 78163 IN NS ns-cloud-c1.googledomains.com.
cromwell-intl.com. 78163 IN NS ns-cloud-c4.googledomains.com.
cromwell-intl.com. 78163 IN NS ns-cloud-c3.googledomains.com.
cromwell-intl.com. 78163 IN NS ns-cloud-c2.googledomains.com.
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Feb 14 14:44:24 EST 2018
;; MSG SIZE rcvd: 198
What About SMTP/S?
To test your SMTP/S server, use the excellent CheckTLS SMTP/S Test.
Final Step
I was very happy with this result! There are just a few more things to do.
Proceed to the final step to see how to tune the HTTP(S) headers.