SlideShare a Scribd company logo

Random musings on SSL/TLS configuration

Download as PPTX, PDF
E
extremeunix

The document discusses securing applications with SSL/TLS. It recommends disabling SSL v2.0, using ECDHE cipher suites where possible as they provide both fast performance and forward secrecy. Additionally, it advises not trusting default SSL/TLS configurations that come with software packages.

Internet
1 of 42
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Random musings on SSL/TLS by Cyrus Dasadia (@ExtremeUnix)
Reason for configuring SSL Identity Confidentiality/Privacy Integrity
Secure my application Step 1: Create CSR
Secure my application Step 1: Create CSR Step 2: Buy / Self-sign a SSL Certificate
Secure my application Step 1: Create CSR Step 2: Buy / Self-sign a SSL Certificate Step 3: Configure Apache/Nginx web-server
Secure my application Step 1: Create CSR Step 2: Buy / Self-sign a SSL Certificate Step 3: Configure Apache/Nginx web-server Step 4: Security Accomplished!!
Thank you! Questions?
You were mostly wrong Cipher suites ? OpenSSL on system/application? Certificate Key? TLS version supported?
SSL == TLS
SSL ≠ TLS or is it ? Netscape created SSL as a product SSL v1.0 - ?? SSL v2.0 - 1995 SSL v3.0 - 1996
SSL ≠ TLS or is it ? Netscape created SSL as a product SSL v1.0 - ?? SSL v2.0 - 1995 SSL v3.0 - 1996 TLS came as a standard. TLS v1.0 - 1999 TLS v1.1 - 2006 TLS v1.2 - 2008 TLS v1.3 - draft
SSL/TLS connection
X.509 Hostname validation certs Extended validation certs
Protocol Versions ● Disable SSL v2.0 ● Avoid SSL v3.0 ● Disable TLS compression (removed in TLS 1.3) ● Highest priority to TLS 1.2
Ciphers Plain text Key SupaCipher Encrypted Text
Ciphers: TLS Symmetric Block chaining Recommended AES128 with GCM (Galois/Counter Mode)
Ciphers: TLS Avoid these ciphers: DES EXP-* RC4
KeyExchange RSA: Fast but no forward secrecy. DHE: Forward secrecy but not fast enough. ECDHE: Fast and forward secrecy
Lets see them in action https://www.ssllabs.com/ssltest
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
Few takeaways: Keys ● 1024 bits is asking for trouble ● 2048 bits minimal viable ● 4096 good standard ● Switch to ECDSA in future!
Few takeaways: Keys Generating ECDSA keys: 256 bit key: openssl ecparam -name prime256v1 -genkey -out my.key 512 bit key:openssl ecparam -name secp521r1 -genkey -out my.key
Few takeaways: Choosing a CA ● At least Supports Certificate Revocation List (CRL) ● Supports Online Certificate Status Protocol (OCSP) ● Accept trustiness of your Country/Corp CA
Few takeaways: Renegotiation Disable Client Initiated Renegotiation Apache: Nginx:
Few takeaways: Performance ● Enable session resumption ● Keep-Alive is your friend ● Cache-Control: public
Few takeaways: Security bits ● Ensure 3rd party CDN’s use SSL ● Do not mix connection types
Few takeaways: Security bits Enable HSTS (HTTP Strict Transport Security) if possible. Apache: (mod_headers) Header add Strict-Transport-Security "max-age= 15768000;includeSubDomains" nginx: (mod_headers) add_header Strict-Transport-Security "max-age= 15768000;includeSubDomains"
Few takeaway: Security bits Apache : SSLProtocol ALL -SSLv2 SSLHonorCipherOrder on SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH +3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS courtesy: @hynek
Few takeaway: Security bits nginx : ssl_prefer_server_ciphers on; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH +3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; courtesy: @hynek
STARTTLS ≠ TLS
STARTTLS ≠ TLS Plain text communications viz. IMAP, POP, SMTP needed support for encrypted connections
STARTTLS ≠ TLS Simple solution, use a different port IMAP uses port 143, SSL/TLS port 993. POP uses port 110, SSL/TLS port 995. SMTP uses port 25, SSL/TLS port 465. and LDAP, XMPP, etc.
STARTTLS ≠ TLS Simple solution, use a different port IMAP uses port 143, SSL/TLS port 993. POP uses port 110, SSL/TLS port 995. SMTP uses port 25, SSL/TLS port 465. and LDAP, XMPP, etc. But having 2 ports is just waste of resources....
STARTTLS ≠ TLS STARTTLS can simply be called to upgrade a plaintext connection to TLS.
Summary Disable SSL v2.0
Summary Disable SSL v2.0 Use ECDHE wherever possible
Summary Disable SSL v2.0 Use ECDHE wherever possible
Summary Disable SSL v2.0 Use ECDHE wherever possible Do not trust default pkgs
< Thank you >

More Related Content

PDF
TLS
Daniel Stenberg
 
PDF
How broken is TLS?
hannob
 
PDF
Automated Analysis of TLS 1.3
vpnmentor
 
PDF
HTTPS, Here and Now
Philippe De Ryck
 
PDF
TLS: Past, Present, Future
vpnmentor
 
PDF
Getting started with HTTPS | LumoSpark webinar
LumoSpark
 
PDF
HTTPS: All you need to know
OVHcloud
 
PPTX
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
TLS
Daniel Stenberg
 
How broken is TLS?
hannob
 
Automated Analysis of TLS 1.3
vpnmentor
 
HTTPS, Here and Now
Philippe De Ryck
 
TLS: Past, Present, Future
vpnmentor
 
Getting started with HTTPS | LumoSpark webinar
LumoSpark
 
HTTPS: All you need to know
OVHcloud
 
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 

What's hot (20)

PPTX
All you need to know about transport layer security
Maarten Smeets
 
PDF
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
 
PPT
Sniffing SSL Traffic
dkaya
 
PDF
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
Dan York
 
PPTX
Transport layer security (tls)
Kalpesh Kalekar
 
PDF
DANE and DNSSEC Authentication Chain Extension for TLS
Shumon Huque
 
PPT
Ost ssl lec
Kaustubh Joshi
 
PDF
Introduction to TLS-1.3
Vedant Jain
 
PDF
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
 
PPT
Secure Sockets Layer and Transport Layer Security
Al Mamun
 
PPTX
SSL/TLS
Sirish Kumar
 
PPTX
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
CheapSSLsecurity
 
PPTX
Ssl in a nutshell
Frank Kelly
 
PDF
How ssl works
Saptarshi Basu
 
ODP
Tls 1.3
Kevin OBrien
 
PDF
TLS/SSL Internet Security Talk
Nisheed KM
 
PDF
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
PPTX
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
Deploy360 Programme (Internet Society)
 
PPT
Ssl (Secure Sockets Layer)
Asad Ali
 
PDF
AWS Fargate - Abstraindo Infraestrutura de Containers - 2 devday Jaragua do S...
Alexandre Fonsttret
 
All you need to know about transport layer security
Maarten Smeets
 
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
 
Sniffing SSL Traffic
dkaya
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
Dan York
 
Transport layer security (tls)
Kalpesh Kalekar
 
DANE and DNSSEC Authentication Chain Extension for TLS
Shumon Huque
 
Ost ssl lec
Kaustubh Joshi
 
Introduction to TLS-1.3
Vedant Jain
 
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
 
Secure Sockets Layer and Transport Layer Security
Al Mamun
 
SSL/TLS
Sirish Kumar
 
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
CheapSSLsecurity
 
Ssl in a nutshell
Frank Kelly
 
How ssl works
Saptarshi Basu
 
Tls 1.3
Kevin OBrien
 
TLS/SSL Internet Security Talk
Nisheed KM
 
Transport Layer Security - Mrinal Wadhwa
Mrinal Wadhwa
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
Deploy360 Programme (Internet Society)
 
Ssl (Secure Sockets Layer)
Asad Ali
 
AWS Fargate - Abstraindo Infraestrutura de Containers - 2 devday Jaragua do S...
Alexandre Fonsttret
 
Ad

Similar to Random musings on SSL/TLS configuration (20)

PDF
Sử dụng TLS đúng cách - Phạm Tùng Dương
Security Bootcamp
 
PDF
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
PDF
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX, Inc.
 
PDF
wolfSSL and TLS 1.3
wolfSSL
 
PPT
SSL
theekuchi
 
PDF
020618 Why Do we Need HTTPS
Jackio Kwok
 
PDF
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
PPT
Introduction to Secure Sockets Layer
Nascenia IT
 
PPTX
[Cluj] Turn SSL ON
OWASP EEE
 
PPTX
Sequere socket Layer
Raghavendra Rao
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
PDF
Next Generation DevOps in Drupal: DrupalCamp London 2014
Barney Hanlon
 
PDF
TLS Perf: from three to zero in one spec
Natasha Rooney
 
PPTX
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Akana
 
PPTX
Linux confau 2019: Web Security 2019
James Bromberger
 
PPTX
Demystfying secure certs
Gary Williams
 
PPTX
Secure socket layer
BU
 
PPTX
Vital Aspects of SSL Support in MySQL
Lesa Cote
 
PPTX
secure socket layer
Amar Shah
 
PDF
Secure Sockets Layer(SSL)Certificate
CheapSSLUSA
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Security Bootcamp
 
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX, Inc.
 
wolfSSL and TLS 1.3
wolfSSL
 
SSL
theekuchi
 
020618 Why Do we Need HTTPS
Jackio Kwok
 
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Introduction to Secure Sockets Layer
Nascenia IT
 
[Cluj] Turn SSL ON
OWASP EEE
 
Sequere socket Layer
Raghavendra Rao
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Barney Hanlon
 
TLS Perf: from three to zero in one spec
Natasha Rooney
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Akana
 
Linux confau 2019: Web Security 2019
James Bromberger
 
Demystfying secure certs
Gary Williams
 
Secure socket layer
BU
 
Vital Aspects of SSL Support in MySQL
Lesa Cote
 
secure socket layer
Amar Shah
 
Secure Sockets Layer(SSL)Certificate
CheapSSLUSA
 
Ad

Recently uploaded (20)

PDF
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
PDF
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
PPTX
Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptx
Prayudha3
 
PPT
Transformaciones de las funciones elementales.ppt
rirosel211
 
PPTX
ppt lighfrsefsefesfesfsefsefsefsefserrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrt.pptx
atharvawafgaonkar
 
PPTX
how many elements are less than or equal to a mid value and adjusts the searc...
kokiyon104
 
PPTX
LESSON-2-Roles-of-ICT-in-Teaching-for-learning_123922 (1).pptx
renavieramopiquero
 
PPTX
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
PDF
KIPER4D situs Exclusive Game dari server Star Gaming Asia
hokimamad0
 
PPTX
Different Generation Of Computers .pptx
divcoder9507
 
PDF
5g is Reshaping the Competitive Landscape
Stellarix
 
PDF
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
PPTX
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
PPT
Introduction to dns domain name syst.ppt
MUHAMMADKAVISHSHABAN
 
PPTX
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
PPTX
The Latest Scam Shocking the USA in 2025.pptx
onlinescamreport4
 
PPTX
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
PDF document: World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
Generative AI Foundations: AI Skills for the Future of Work
hemal sharma
 
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptx
Prayudha3
 
Transformaciones de las funciones elementales.ppt
rirosel211
 
ppt lighfrsefsefesfesfsefsefsefsefserrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrt.pptx
atharvawafgaonkar
 
how many elements are less than or equal to a mid value and adjusts the searc...
kokiyon104
 
LESSON-2-Roles-of-ICT-in-Teaching-for-learning_123922 (1).pptx
renavieramopiquero
 
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
KIPER4D situs Exclusive Game dari server Star Gaming Asia
hokimamad0
 
Different Generation Of Computers .pptx
divcoder9507
 
5g is Reshaping the Competitive Landscape
Stellarix
 
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
Introduction to dns domain name syst.ppt
MUHAMMADKAVISHSHABAN
 
EthicalHack{aksdladlsfsamnookfmnakoasjd}.pptx
dagarabull
 
The Latest Scam Shocking the USA in 2025.pptx
onlinescamreport4
 
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF document: World Game (s) Great Redesign.pdf
Steven McGee
 
Generative AI Foundations: AI Skills for the Future of Work
hemal sharma
 

Random musings on SSL/TLS configuration

  • 1. Random musings on SSL/TLS by Cyrus Dasadia (@ExtremeUnix)
  • 2. Reason for configuring SSL Identity Confidentiality/Privacy Integrity
  • 3. Secure my application Step 1: Create CSR
  • 4. Secure my application Step 1: Create CSR Step 2: Buy / Self-sign a SSL Certificate
  • 5. Secure my application Step 1: Create CSR Step 2: Buy / Self-sign a SSL Certificate Step 3: Configure Apache/Nginx web-server
  • 6. Secure my application Step 1: Create CSR Step 2: Buy / Self-sign a SSL Certificate Step 3: Configure Apache/Nginx web-server Step 4: Security Accomplished!!
  • 8. You were mostly wrong Cipher suites ? OpenSSL on system/application? Certificate Key? TLS version supported?
  • 10. SSL ≠ TLS or is it ? Netscape created SSL as a product SSL v1.0 - ?? SSL v2.0 - 1995 SSL v3.0 - 1996
  • 11. SSL ≠ TLS or is it ? Netscape created SSL as a product SSL v1.0 - ?? SSL v2.0 - 1995 SSL v3.0 - 1996 TLS came as a standard. TLS v1.0 - 1999 TLS v1.1 - 2006 TLS v1.2 - 2008 TLS v1.3 - draft
  • 13. X.509 Hostname validation certs Extended validation certs
  • 14. Protocol Versions ● Disable SSL v2.0 ● Avoid SSL v3.0 ● Disable TLS compression (removed in TLS 1.3) ● Highest priority to TLS 1.2
  • 15. Ciphers Plain text Key SupaCipher Encrypted Text
  • 16. Ciphers: TLS Symmetric Block chaining Recommended AES128 with GCM (Galois/Counter Mode)
  • 17. Ciphers: TLS Avoid these ciphers: DES EXP-* RC4
  • 18. KeyExchange RSA: Fast but no forward secrecy. DHE: Forward secrecy but not fast enough. ECDHE: Fast and forward secrecy
  • 19. Lets see them in action https://www.ssllabs.com/ssltest
  • 24. Few takeaways: Keys ● 1024 bits is asking for trouble ● 2048 bits minimal viable ● 4096 good standard ● Switch to ECDSA in future!
  • 25. Few takeaways: Keys Generating ECDSA keys: 256 bit key: openssl ecparam -name prime256v1 -genkey -out my.key 512 bit key:openssl ecparam -name secp521r1 -genkey -out my.key
  • 26. Few takeaways: Choosing a CA ● At least Supports Certificate Revocation List (CRL) ● Supports Online Certificate Status Protocol (OCSP) ● Accept trustiness of your Country/Corp CA
  • 27. Few takeaways: Renegotiation Disable Client Initiated Renegotiation Apache: Nginx:
  • 28. Few takeaways: Performance ● Enable session resumption ● Keep-Alive is your friend ● Cache-Control: public
  • 29. Few takeaways: Security bits ● Ensure 3rd party CDN’s use SSL ● Do not mix connection types
  • 30. Few takeaways: Security bits Enable HSTS (HTTP Strict Transport Security) if possible. Apache: (mod_headers) Header add Strict-Transport-Security "max-age= 15768000;includeSubDomains" nginx: (mod_headers) add_header Strict-Transport-Security "max-age= 15768000;includeSubDomains"
  • 31. Few takeaway: Security bits Apache : SSLProtocol ALL -SSLv2 SSLHonorCipherOrder on SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH +3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS courtesy: @hynek
  • 32. Few takeaway: Security bits nginx : ssl_prefer_server_ciphers on; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH +3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; courtesy: @hynek
  • 34. STARTTLS ≠ TLS Plain text communications viz. IMAP, POP, SMTP needed support for encrypted connections
  • 35. STARTTLS ≠ TLS Simple solution, use a different port IMAP uses port 143, SSL/TLS port 993. POP uses port 110, SSL/TLS port 995. SMTP uses port 25, SSL/TLS port 465. and LDAP, XMPP, etc.
  • 36. STARTTLS ≠ TLS Simple solution, use a different port IMAP uses port 143, SSL/TLS port 993. POP uses port 110, SSL/TLS port 995. SMTP uses port 25, SSL/TLS port 465. and LDAP, XMPP, etc. But having 2 ports is just waste of resources....
  • 37. STARTTLS ≠ TLS STARTTLS can simply be called to upgrade a plaintext connection to TLS.
  • 39. Summary Disable SSL v2.0 Use ECDHE wherever possible
  • 40. Summary Disable SSL v2.0 Use ECDHE wherever possible
  • 41. Summary Disable SSL v2.0 Use ECDHE wherever possible Do not trust default pkgs