SlideShare uma empresa Scribd logo

Apache Httpd and TLS certificates validations

Jean-Frederic Clere
Jean-Frederic Clere

Intro to using TLS certificates validations in Apache httpd, betwen clients and httpd and validating httpd server certificates

Internet
1 de 29
Baixar para ler offline
APACHECON @HOME Sep. 29th – Oct. 1st 2020 Apache httpd and TLS/SSL certificates validation Jean-Frederic Clere
What I will coverWhat I will cover ● TLS and certificates/keys (clients and servers) ● Basics ● Client certificates OCSP responder or CRL. ● Servers certificates ● Signed by CA, let’s encrypt for example ● mod_md to automate renewal ● mod_md2 and OCSP stapling ● Demos ● Questions? 2
Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
Key and CertificateKey and Certificate – A pair: ● You keep the key secret ● You “publish” the certificate ● You identify your self in the certificate Certificate authority Let’s encrypt – How it works. 4
OpenSSLtools for key and reqOpenSSLtools for key and req – Using CA -newreq ● newreq.pem (to be signed by CA) ● newkey.pem (encrypted passphrase) – Using CA -signreq ● newcert.pem (signed cert)
CA cert in the browserCA cert in the browser – CA -signreq uses CA key to sign – /etc/pki/CA/cacert.pem (self signed) – cacert.pem in the brower.
Look to client server exchangeLook to client server exchange – TLS-1.2 – TLS-1.3 – Using wireshark to show how it works...
Client Hello (TLS 1.3 Firefox)Client Hello (TLS 1.3 Firefox) 8
Server Hello (Tomcat)Server Hello (Tomcat) 9
TLS 1.3 versus 1.2TLS 1.3 versus 1.2 10
TLS 1.3 versus 1.2 (look into 1.2!)TLS 1.3 versus 1.2 (look into 1.2!) 11
Look to client server exchangeLook to client server exchange – TLS-1.2 – TLS-1.3 – Now you know why TLS-1.3 is better!!!
HTTPd / Configuration / BasicHTTPd / Configuration / Basic ● httpd.conf: Listen 8888 <VirtualHost _default_:8888> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" </VirtualHost> 13
Client Certificate requiredClient Certificate required ● httpd.conf: Listen 8889 <VirtualHost _default_:8889> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLVerifyClient require SSLVerifyDepth 1 </VirtualHost> 14
Verifying Client CertificatesVerifying Client Certificates ● 2 certificates – invalid cert 2020 – valid cert 2020 ● Invalid cert: – Revoked by CA(using openssl) ● Openssl ca -revoke ● Openssl ca -gencrl (creates a pem file) – Use CRL ● As file ● With a OCSP responder 15
With revocation in a file.With revocation in a file. ● httpd.conf: Listen 8890 <VirtualHost _default_:8890> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLCARevocationCheck leaf SSLCARevocationFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/crl_01.pem </VirtualHost> 16
With OCSP responder for revocation.With OCSP responder for revocation.● httpd.conf: (mostly for debugging purposes or OCSP proxy) Listen 8891 <VirtualHost _default_:8891> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable on SSLOCSPDefaultResponder http://jfcpc:2560/ SSLOCSPOverrideResponder on </VirtualHost> 17
Using “OCSP responder” in certificateUsing “OCSP responder” in certificate● httpd.conf: Listen 8892 <VirtualHost _default_:8892> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable on </VirtualHost> 18
OCSP validation.OCSP validation. ● [jfclere@pc-7 httpdssl]$ openssl ocsp -VAfile ocsp_newcert.pem -issuer /etc/pki/CA/cacert.pem -cert invalid_newcert.pem -url http://localhost:2560/ – Response verify OK – invalid_newcert.pem: revoked – This Update: Sep 24 09:05:06 2020 GMT – Next Update: Sep 24 09:40:38 2020 GMT – Revocation Time: Sep 24 09:03:26 2020 GMT ● [jfclere@pc-7 httpdssl]$ openssl ocsp -VAfile ocsp_newcert.pem -issuer /etc/pki/CA/cacert.pem -cert valid_newcert.pem -url http://localhost:2560/ – Response verify OK – valid_newcert.pem: good – This Update: Sep 24 09:05:06 2020 GMT – Next Update: Sep 24 09:40:48 2020 GMT 19
Servers!!!Servers!!!● Let’s look to the server certificates: – Validation like for the client certificates – Signed by CA – OCSP – stapling 20
Using OCSP Stapling for the CAUsing OCSP Stapling for the CA● httpd.conf: Listen 8893 SSLStaplingCache "shmcb:ssl_scache(512000)" SSLStaplingStandardCacheTimeout 300 <VirtualHost _default_:8893> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/cachain.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 2 SSLUseStapling On </VirtualHost> 21
Let’s Encrypt!Let’s Encrypt!● See Let's encrypt: – Signed certificates valid for 90 days. – Challenge to prove you own the host/domain. ● HTTP/DNS/TLS-SNI/TLS-ALPN – Renewal: certbot renew – Renewal: mod_md – OCSP stapling 22
Certbot configCertbot config <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/jfclere.noip.me/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/jfclere.noip.me/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> 23
mod_mdmod_md <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on </VirtualHost> – Signed certificates valid for 90 days. – Challenge to prove you own the host/domain. ● HTTP/DNS/TLS-SNI/TLS-ALPN – Renewal: certbot renew – Renewal: mod_md – OCSP stapling 24
mod_mdmod_md <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on </VirtualHost> ServerAdmin jfclere@gmail.com MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf MDomain jfclere.noip.me – Note you have to restart the server the first time: The Managed Domain jfclere.noip.me has been setup and changes will be activated on next (graceful) server restart. – SElinux: setsebool -P httpd_can_network_connect 1 25
staplingstapling MDMustStaple (mod_md) MDMustStaple On SSLUseStapling (mod_ssl in ssl.conf) SSLStaplingCache shmcb:/run/httpd/sslstapingcache(512000) <VirtualHost _default_:443> SSLUseStapling On ... openssl s_client -connect jfclere.myddns.me:443 -status OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Sep 3 14:28:00 2019 GMT 26
ACME V2ACME V2 Not backward compatible with V1 Requires mod_md 2.2.x mod_md v2.2.x let's encrypt V2 services [Test for V2 clients.] Already in httpd since 2.4.nn V1 will be sunset “ at some point in the future”. 27
Questions?Questions? ● jfclere@gmail.com ● users@httpd.apache.org ● dev@httpd.apache.org ● https://github.com/apache/httpd ● https://github.com/jfclere/AC2014scripts/blob/master/httpdssl.txt : commands for demos. 28
THANK YOU Jean-Frederic Clere @jfclere jfclere@gmail.com

Recomendados

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
Jean-Frederic Clere
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloud
Jean-Frederic Clere
 
From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the Cloud
Jean-Frederic Clere
 
Observability with HAProxy
Observability with HAProxyObservability with HAProxy
Observability with HAProxy
HAProxy Technologies
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
Shaopeng He
 
MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)
MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)
MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)
HAProxy Technologies
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
HAProxy tech talk
HAProxy tech talkHAProxy tech talk
HAProxy tech talk
icebourg
 

Recomendados

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
Jean-Frederic Clere
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloud
Jean-Frederic Clere
 
From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the Cloud
Jean-Frederic Clere
 
Observability with HAProxy
Observability with HAProxyObservability with HAProxy
Observability with HAProxy
HAProxy Technologies
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
Shaopeng He
 
MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)
MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)
MariaDB Replication manager and HAProxy (HAProxy Paris Meetup)
HAProxy Technologies
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
HAProxy tech talk
HAProxy tech talkHAProxy tech talk
HAProxy tech talk
icebourg
 
Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxy
Brendan Jennings
 
HA Proxy logs - The Art of Logging
HA Proxy logs - The Art of LoggingHA Proxy logs - The Art of Logging
HA Proxy logs - The Art of Logging
logmatic.io
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
HAProxy
HAProxy HAProxy
HAProxy
Arindam Nayak
 
HAProxy 1.9
HAProxy 1.9HAProxy 1.9
HAProxy 1.9
HAProxy Technologies
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战
Jerry Qu
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
Jxck Jxck
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
What's New in HAProxy
What's New in HAProxyWhat's New in HAProxy
What's New in HAProxy
HAProxy Technologies
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
Mark Nottingham
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
peychevi
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
Jean-Frederic Clere
 
Http2 right now
Http2 right nowHttp2 right now
Http2 right now
Daniel Stenberg
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
Jean-Frederic Clere
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
zznate
 

Mais conteúdo relacionado

Mais procurados

How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 

Mais procurados (20)

Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxy
 
HA Proxy logs - The Art of Logging
HA Proxy logs - The Art of LoggingHA Proxy logs - The Art of Logging
HA Proxy logs - The Art of Logging
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
HAProxy
HAProxy HAProxy
HAProxy
 
HAProxy 1.9
HAProxy 1.9HAProxy 1.9
HAProxy 1.9
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
 
What's New in HAProxy
What's New in HAProxyWhat's New in HAProxy
What's New in HAProxy
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Http2 right now
Http2 right nowHttp2 right now
Http2 right now
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
 

Semelhante a Apache Httpd and TLS certificates validations

The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy
 
Configurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud ConfigConfigurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud Config
Emmanuel Neri
 
When Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathWhen Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and Death
HostedbyConfluent
 
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
NGINX, Inc.
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
Conrad Cruz
 

Semelhante a Apache Httpd and TLS certificates validations (20)

Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Configurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud ConfigConfigurações distribuídas com Spring Cloud Config
Configurações distribuídas com Spring Cloud Config
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
 
Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006Secure Communications with VisualWorks - CSTUC 2006
Secure Communications with VisualWorks - CSTUC 2006
 
Java security
Java securityJava security
Java security
 
When Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathWhen Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and Death
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-Dive
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 

Mais de Jean-Frederic Clere

Mais de Jean-Frederic Clere (14)

Panama.pdf
Panama.pdfPanama.pdf
Panama.pdf
 
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
 
03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
 
Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
 
Juggva cloud
Juggva cloudJuggva cloud
Juggva cloud
 
Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projects
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Native 1.2.8
Native 1.2.8Native 1.2.8
Native 1.2.8
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 

Último

Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
Escorts Call Girls
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
soniya singh
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
SUHANI PANDEY
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
SUHANI PANDEY
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 

Último (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 

Apache Httpd and TLS certificates validations

  • 1. APACHECON @HOME Sep. 29th – Oct. 1st 2020 Apache httpd and TLS/SSL certificates validation Jean-Frederic Clere
  • 2. What I will coverWhat I will cover ● TLS and certificates/keys (clients and servers) ● Basics ● Client certificates OCSP responder or CRL. ● Servers certificates ● Signed by CA, let’s encrypt for example ● mod_md to automate renewal ● mod_md2 and OCSP stapling ● Demos ● Questions? 2
  • 3. Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
  • 4. Key and CertificateKey and Certificate – A pair: ● You keep the key secret ● You “publish” the certificate ● You identify your self in the certificate Certificate authority Let’s encrypt – How it works. 4
  • 5. OpenSSLtools for key and reqOpenSSLtools for key and req – Using CA -newreq ● newreq.pem (to be signed by CA) ● newkey.pem (encrypted passphrase) – Using CA -signreq ● newcert.pem (signed cert)
  • 6. CA cert in the browserCA cert in the browser – CA -signreq uses CA key to sign – /etc/pki/CA/cacert.pem (self signed) – cacert.pem in the brower.
  • 7. Look to client server exchangeLook to client server exchange – TLS-1.2 – TLS-1.3 – Using wireshark to show how it works...
  • 8. Client Hello (TLS 1.3 Firefox)Client Hello (TLS 1.3 Firefox) 8
  • 9. Server Hello (Tomcat)Server Hello (Tomcat) 9
  • 10. TLS 1.3 versus 1.2TLS 1.3 versus 1.2 10
  • 11. TLS 1.3 versus 1.2 (look into 1.2!)TLS 1.3 versus 1.2 (look into 1.2!) 11
  • 12. Look to client server exchangeLook to client server exchange – TLS-1.2 – TLS-1.3 – Now you know why TLS-1.3 is better!!!
  • 13. HTTPd / Configuration / BasicHTTPd / Configuration / Basic ● httpd.conf: Listen 8888 <VirtualHost _default_:8888> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" </VirtualHost> 13
  • 14. Client Certificate requiredClient Certificate required ● httpd.conf: Listen 8889 <VirtualHost _default_:8889> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLVerifyClient require SSLVerifyDepth 1 </VirtualHost> 14
  • 15. Verifying Client CertificatesVerifying Client Certificates ● 2 certificates – invalid cert 2020 – valid cert 2020 ● Invalid cert: – Revoked by CA(using openssl) ● Openssl ca -revoke ● Openssl ca -gencrl (creates a pem file) – Use CRL ● As file ● With a OCSP responder 15
  • 16. With revocation in a file.With revocation in a file. ● httpd.conf: Listen 8890 <VirtualHost _default_:8890> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLCARevocationCheck leaf SSLCARevocationFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/crl_01.pem </VirtualHost> 16
  • 17. With OCSP responder for revocation.With OCSP responder for revocation.● httpd.conf: (mostly for debugging purposes or OCSP proxy) Listen 8891 <VirtualHost _default_:8891> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable on SSLOCSPDefaultResponder http://jfcpc:2560/ SSLOCSPOverrideResponder on </VirtualHost> 17
  • 18. Using “OCSP responder” in certificateUsing “OCSP responder” in certificate● httpd.conf: Listen 8892 <VirtualHost _default_:8892> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable on </VirtualHost> 18
  • 19. OCSP validation.OCSP validation. ● [jfclere@pc-7 httpdssl]$ openssl ocsp -VAfile ocsp_newcert.pem -issuer /etc/pki/CA/cacert.pem -cert invalid_newcert.pem -url http://localhost:2560/ – Response verify OK – invalid_newcert.pem: revoked – This Update: Sep 24 09:05:06 2020 GMT – Next Update: Sep 24 09:40:38 2020 GMT – Revocation Time: Sep 24 09:03:26 2020 GMT ● [jfclere@pc-7 httpdssl]$ openssl ocsp -VAfile ocsp_newcert.pem -issuer /etc/pki/CA/cacert.pem -cert valid_newcert.pem -url http://localhost:2560/ – Response verify OK – valid_newcert.pem: good – This Update: Sep 24 09:05:06 2020 GMT – Next Update: Sep 24 09:40:48 2020 GMT 19
  • 20. Servers!!!Servers!!!● Let’s look to the server certificates: – Validation like for the client certificates – Signed by CA – OCSP – stapling 20
  • 21. Using OCSP Stapling for the CAUsing OCSP Stapling for the CA● httpd.conf: Listen 8893 SSLStaplingCache "shmcb:ssl_scache(512000)" SSLStaplingStandardCacheTimeout 300 <VirtualHost _default_:8893> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/cachain.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 2 SSLUseStapling On </VirtualHost> 21
  • 22. Let’s Encrypt!Let’s Encrypt!● See Let's encrypt: – Signed certificates valid for 90 days. – Challenge to prove you own the host/domain. ● HTTP/DNS/TLS-SNI/TLS-ALPN – Renewal: certbot renew – Renewal: mod_md – OCSP stapling 22
  • 23. Certbot configCertbot config <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/jfclere.noip.me/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/jfclere.noip.me/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> 23
  • 24. mod_mdmod_md <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on </VirtualHost> – Signed certificates valid for 90 days. – Challenge to prove you own the host/domain. ● HTTP/DNS/TLS-SNI/TLS-ALPN – Renewal: certbot renew – Renewal: mod_md – OCSP stapling 24
  • 25. mod_mdmod_md <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on </VirtualHost> ServerAdmin jfclere@gmail.com MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf MDomain jfclere.noip.me – Note you have to restart the server the first time: The Managed Domain jfclere.noip.me has been setup and changes will be activated on next (graceful) server restart. – SElinux: setsebool -P httpd_can_network_connect 1 25
  • 26. staplingstapling MDMustStaple (mod_md) MDMustStaple On SSLUseStapling (mod_ssl in ssl.conf) SSLStaplingCache shmcb:/run/httpd/sslstapingcache(512000) <VirtualHost _default_:443> SSLUseStapling On ... openssl s_client -connect jfclere.myddns.me:443 -status OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Sep 3 14:28:00 2019 GMT 26
  • 27. ACME V2ACME V2 Not backward compatible with V1 Requires mod_md 2.2.x mod_md v2.2.x let's encrypt V2 services [Test for V2 clients.] Already in httpd since 2.4.nn V1 will be sunset “ at some point in the future”. 27