Sergej Jakovljev explains how to setup different levels of security over SSL. What's the difference between different SSL certificates and how to set them up on NGINX, Heroku and Node.js.

1. SSL
Sergej Jakovljev

2. - PRF (pseudorandom function) key
- HMAC integrity checks
- AES cypher suite
SSL – Secure Socket Layer
http://www.jscape.com/blog/ssl-vs-tls-know-the-difference
TLS – Transport Layer Security
HTTPS – HTTP Secure

3. Zašto ne?
- Podrška
- Brzina
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://istlsfastyet.com
- Sigurnost
- Brzina https://www.httpvshttps.com
- Google (Search & AMP)
- Browser API
Zašto?
• Geolocation
• Device motion / orientation
• EME
• getUserMedia
• AppCache
• Notifications

4. https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/

5. CSR – Certificate Signing Request
Private key
CA – Certificate Authority
Root Certificate
Intermediate Certificate
Leaf Certificate

6. https://blog.cloudflare.com/introducing-cfssl/

7. Postupak izdavanja
1. Generiranje CSR (Certificate Signing Request)
2. Kupnja certifikata i slanje CA
3. Validacija i preuzimanje
4. Konfiguracija servera
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
• koji tip kupiti?
• gdje ga kupiti?
• validacije ovise o tipu certifikata
• uz certifikat je potrebno preuzeti i intemediate i root certifikat od CA

8. Tipovi certifikata
• potvrda organizacije
• sadrži papirologiju
• podaci o organizaciji u certifikatu
• plavo ime u nekim preglednicima
• izdaje se kroz 1-2 dana
Organization Validation (OV) Extended Validation (EV)Domain Validation (DV)
http://www.dailyhostnews.com/wp-content/uploads/2013/04/ssl-types.jpg
• enkripcija
• potvrda domene
• zeleni lokot
• dovoljno za Google
• izdaje se odmah
• striktna, standardizirana
provjera organizacije
• green bar
• izdaje se kroz 7-10 dana
Pokrivenost
Multiple domain WildcardSingle domain

10. • Besplatno
• Domain Validation (DV)
• Nema garancije
• Nema podrške
• Expiration 90 dana
• certbot

12. • Koriste poznate CA
• Nude sve tipove certifikata
• Podrška 0-24
• Traju do 39 mjeseci
• Garancija od 10,000$+
• Nude site seal

13. https://www.netnames.com/insights/blog/2013/01/a-whole-lot-of-trust-in-a-little-ssl-seal/

14. https://www.ssllabs.com/ssltest/

15. Izvori za većinu konfiguracije koja slijedi:
https://sanderknape.com/2016/06/getting-ssl-labs-rating-nginx/
https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/

16. server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.stranica.com;
ssl_certificate /etc/ssl/certs/stranica.com.crt;
ssl_certificate_key /etc/ssl/private/stranica.com.key;
root /var/www/projekt/;
index index.php index.html index.htm default.html default.htm;

17. https://sanderknape.com/2016/06/getting-ssl-labs-rating-nginx/

18. server {
listen 80 default_server;
listen [::]:80 default_server;
server_name stranica.com;
return 301 https://www.stranica.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.stranica.com;
ssl_certificate /etc/ssl/certs/stranica.com.crt;
ssl_certificate_key /etc/ssl/private/stranica.com.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/nginx/cert/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/cert/stranica.trustchain.crt;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000" always;
root /var/www/projekt/;
index index.php index.html index.htm default.html default.htm;

19. https://sanderknape.com/2016/06/getting-ssl-labs-rating-nginx/

20. https://blog.cloudflare.com/introducing-cfssl/

21. # put do certifikata i privatnog ključa
# obicno leaf + intermediate certifikati
ssl_certificate /etc/ssl/certs/stranica.com.cetrchain.crt;
ssl_certificate_key /etc/ssl/private/stranica.com.key;
# onemogućimo SSL
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# postavimo veličinu cachea i vrijeme trajanja sessiona
# kako bi izbjegli ponavljanje dugotrajnog TLS handshakea
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
cat stranica_com.crt stranica_com.ca-bundle > stranica.com.certchain.crt
CERTIFIKAT + INTERMEDIATE + ROOT

22. # server bira cyphere umjesto klijenta
ssl_prefer_server_ciphers on;
# omogući samo određene cyphere
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# za Diffie-Hellman Exchange koristi 2048 bit RSA ključ
ssl_dhparam /etc/nginx/cert/dhparam.pem;
openssl dhparam 2048 -out /etc/nginx/cert/dhparam.pem

23. Diffie–Hellman key exchangehttps://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

24. OCSP StaplingOmogućuje da klijent dokaže valjanost certifikata
Klijent
CA
Server
Klijent
CA
Server

25. ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
# cijeli chain certifikata
# 1. potvrduje da je client certifikat dobar
# 2. za OCSP verifikaciju
ssl_trusted_certificate /etc/nginx/cert/stranica.trustchain.crt;
CERTIFIKAT + INTERMEDIATE + ROOT
cat stranica_com.crt stranica_com.ca-bundle > stranica.com.certchain.crt

26. # HSTS (HTTP Strict Transport Security)
# forsira korištenje SSL protokola, nepovratno!
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
hstspreload.org

27. # instancirajjos jedan server koji redirecta sve HTTP na HTTPS
# paziti za API-je
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name stranica.com;
return 301 https://www.stranica.com$request_uri;
}
server {
listen 443 ssl http2; # za najbolje rezultateomogućiti HTTP2
listen [::]:443 ssl http2;
...
}

28. https://devcenter.heroku.com/articles/ssl

29. https://www.taylorpetrick.com/blog/post/https-nodejs-letsencrypt

30. const https = require('https')
const helmet = require('helmet')
...
app.use(helmet.hsts({
maxAge: 31536000000,
includeSubdomains: true,
force: true
}));
...
https.createServer({
key: fs.readFileSync("/etc/letsencrypt/archive/example.com/privkey1.pem"),
cert: fs.readFileSync("/etc/letsencrypt/archive/example.com/fullchain1.pem"),
ca: fs.readFileSync("/etc/letsencrypt/archive/example.com/chain1.pem"),
dhparam: fs.readFileSync("/etc/letsencrypt/archive/example.com/dh1.pem"),
}, app).listen(443);

31. Upload certifikata:
https://aws.amazon.com/certificate-manager/
Amazon S3 sa vlastitom domenom
https://aws.amazon.com/cloudfront/custom-ssl-domains/
EC2 uz Classic Load Balancer
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html

32. - SPF (Sender Policy Framework) – domene
- DKIM (DomainKeys Identified Mail) - digitalni potpis
- DMARC (Domain-based Message Authentication,
Reporting & Conformance)
Email
http://www.jscape.com/blog/ssl-vs-tls-know-the-difference