Difference between revisions of "TLS"

From Freephile Wiki
Jump to navigation Jump to search
(Add service section)
 
(2 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
 
Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
  
== Let's Encrypt ==
+
=== Checking Ciphers ===
We used to run certificates from StartSSL because they offer free one-year certificates. However, today we upgraded to using 'LetsEncrypt' and our certificates are both more secure and easier to manageInstead of a "B" grade, we now have "A" grade security.
+
You can use nmap to port scan a host (Do NOT do this on hosts you don't control... it's like poking a hornets nest, you're not sure what's going to happen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your hostThe description below is from <code>/usr/share/nmap/scripts/ssl-enum-ciphers.nse</code>)
[[File:AGrade.png|left|500px]] [[File:BGrade.png|right|500px]]
 
  
'''Certbot''' ([https://github.com/certbot/certbot code]) is a fully-featured, extensible client for the Let's Encrypt CA (or any other CA that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring web servers to use them. This client runs on Unix-based operating systems. It '''requires''' root access and is '''beta''' software.
+
This script repeatedly initiates SSL/TLS connections, each time trying a new
 +
cipher or compressor while recording whether a host accepts or rejects it. The
 +
end result is a list of all the ciphers and compressors that a server accepts.
  
Until May 2016, Certbot was named simply <code>letsencrypt</code> or <code>letsencrypt-auto</code>, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name.
+
Each cipher is shown with a strength rating: one of <code>strong</code>,
 +
<code>weak</code>, or <code>unknown strength</code>. The output line
 +
beginning with <code>Least strength</code> shows the strength of the
 +
weakest cipher offered. If you are auditing for weak ciphers, you would
 +
want to look more closely at any port where <code>Least strength</code>
 +
is not <code>strong</code>. The cipher strength database is in the file
 +
<code>nselib/data/ssl-ciphers</code>, or you can use a different file
 +
through the script argument
 +
<code>ssl-enum-ciphers.rankedcipherlist</code>.
  
[https://certbot.eff.org/#pip-apache Certbot website] at EFF.org (the Electronic Frontier Foundation).
+
SSLv3/TLSv1 requires more effort to determine which ciphers and compression
 +
methods a server supports than SSLv2. A client lists the ciphers and compressors
 +
that it is capable of supporting, and the server will respond with a single
 +
cipher and compressor chosen, or a rejection notice.
  
== Service ==
+
This script is intrusive since it must initiate many connections to a server,
Using our [[Ansible]] role, we can install the certbot client.  Then we can install as many certificates as needed; plus setup an automated job which will renew them every 90 days.
+
and therefore is quite noisy.
 +
 
 +
<source lang="bash">
 +
nmap --script +ssl-enum-ciphers example.com
 +
</source>
 +
 
 +
Using [[Certbot]], you can manage your certificates.
  
 
== Resources ==
 
== Resources ==
 
# [[wp:Transport Layer Security|Transport Layer Security]]
 
# [[wp:Transport Layer Security|Transport Layer Security]]
# https://letsencrypt.org/getinvolved/ Get Involved with Lets Encrypt
 
## https://letsencrypt.org/getting-started/ Getting Started
 
## https://github.com/letsencrypt/letsencrypt Code on GitHub
 
## https://letsencrypt.readthedocs.org/en/latest/ Docs
 
 
# https://wiki.mozilla.org/Security/Server_Side_TLS
 
# https://wiki.mozilla.org/Security/Server_Side_TLS
 
# https://security.stackexchange.com/
 
# https://security.stackexchange.com/
 
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
 
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
 
# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
 
# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
# [https://github.com/jaywink/ansible-letsencrypt Ansible role for LetsEncrypt]
+
# [https://tls.ulfheim.net/ TLS illustrated]
  
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:System Administration]]
 
[[Category:System Administration]]

Latest revision as of 07:00, 16 October 2018

Transport Layer Security[edit | edit source]

This page is mainly about adding Transport Layer Security TLS (also commonly referred to by it's predecessor 'Secure Sockets Layer or SSL') for your web servers such as Apache or nginx.

If you have a website or other online resources, you should be running them on a Secure webserver. If you need help, call eQuality Technology. We can secure your site very quickly and very cost-effectively, using the highest grade security measures.

Security Check[edit | edit source]

Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)

Checking Ciphers[edit | edit source]

You can use nmap to port scan a host (Do NOT do this on hosts you don't control... it's like poking a hornets nest, you're not sure what's going to happen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your host. The description below is from /usr/share/nmap/scripts/ssl-enum-ciphers.nse)

This script repeatedly initiates SSL/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphers and compressors that a server accepts.

Each cipher is shown with a strength rating: one of strong, weak, or unknown strength. The output line beginning with Least strength shows the strength of the weakest cipher offered. If you are auditing for weak ciphers, you would want to look more closely at any port where Least strength is not strong. The cipher strength database is in the file nselib/data/ssl-ciphers, or you can use a different file through the script argument ssl-enum-ciphers.rankedcipherlist.

SSLv3/TLSv1 requires more effort to determine which ciphers and compression methods a server supports than SSLv2. A client lists the ciphers and compressors that it is capable of supporting, and the server will respond with a single cipher and compressor chosen, or a rejection notice.

This script is intrusive since it must initiate many connections to a server, and therefore is quite noisy.

nmap --script +ssl-enum-ciphers example.com

Using Certbot, you can manage your certificates.

Resources[edit | edit source]

  1. Transport Layer Security
  2. https://wiki.mozilla.org/Security/Server_Side_TLS
  3. https://security.stackexchange.com/
  4. Apache docs
  5. Ubuntu Server Guide - Certificates and Security
  6. TLS illustrated