Apache httpd and TLS/SSL certificates validation
•
0 likes•165 views
This document summarizes a presentation on TLS/SSL certificates validation with Apache httpd. It covers TLS basics, client and server certificates signed by a CA like Let's Encrypt, mod_md for automating certificate renewal, OCSP stapling for revocation checking, and demos of httpd configuration for certificates. It also discusses TLS 1.3 changes, Let's Encrypt, and upcoming support for ACME v2 in mod_md and httpd.
Report
Share
Apache httpd and TLS/SSL certificates validation
- 1. APACHECON North America Sept. 9-12, 2019 Apache httpd and TLS/SSLApache httpd and TLS/SSL certificates validationcertificates validation Jean-Frederic ClereJean-Frederic Clere
- 2. APACHECON North America What I will coverWhat I will cover ● TLS and certificates/keys (clients and servers) ● Basics ● Client certificates OCSP responder or CRL. ● Servers certificates ● Signed by CA, let’s encrypt for example ● mod_md to automate renewal ● mod_md2 and OCSP stapling ● Demos ● Questions? 2
- 3. APACHECON North America Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
- 4. APACHECON North America Key and CertificateKey and Certificate – A pair: ● You keep the key secret ● You “publish” the certificate ● You identify your self in the certificate Certificate authority Let’s encrypt – How it works. 4
- 5. APACHECON North America Client Hello (TLS 1.3 Firefox)Client Hello (TLS 1.3 Firefox) 5
- 6. APACHECON North America Server Hello (Tomcat)Server Hello (Tomcat) 6
- 7. APACHECON North America TLS 1.3 versus 1.2TLS 1.3 versus 1.2 7
- 8. APACHECON North America TLS 1.3 versus 1.2 (look to 1.2!)TLS 1.3 versus 1.2 (look to 1.2!) 8
- 9. APACHECON North America HTTPd / Configuration / BasicHTTPd / Configuration / Basic ● httpd.conf: Listen 8888 <VirtualHost _default_:8888> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" </VirtualHost> 9
- 10. APACHECON North America Client Certificate requiredClient Certificate required ● httpd.conf: Listen 8889 <VirtualHost _default_:8889> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 </VirtualHost> 10
- 11. APACHECON North America With revocation in a file.With revocation in a file. ● httpd.conf: Listen 8890 <VirtualHost _default_:8890> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLCARevocationCheck leaf SSLCARevocationFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/crl_01.pem </VirtualHost> 11
- 12. APACHECON North America With OCSP responder for revocation.With OCSP responder for revocation.● httpd.conf: Listen 8891 <VirtualHost _default_:8891> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable on SSLOCSPDefaultResponder http://jfcpc:2560/ SSLOCSPOverrideResponder on </VirtualHost> 12
- 13. APACHECON North America Using “OCSP responder” in certificateUsing “OCSP responder” in certificate● httpd.conf: Listen 8892 <VirtualHost _default_:8892> SSLEngine on SSLCertificateFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" SSLCertificateKeyFile "/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" SSLOptions +StdEnvVars -ExportCertData ScriptAlias /cgi-bin/ "/home/jfclere/APACHE/cgi-bin/" SSLVerifyClient require SSLVerifyDepth 1 SSLOCSPEnable on </VirtualHost> 13
- 14. APACHECON North America Servers!!!Servers!!!● Let’s look to the server certificates: – Validation like for the client certificates – Signed by CA – OCSP – stapling 14
- 15. APACHECON North America Let’s Encrypt!Let’s Encrypt!● See Let's encrypt: – Signed certificates valid for 90 days. – Challenge to prove you own the host/domain. ● HTTP/DNS/TLS-SNI/TLS-ALPN – Renewal: certbot renew – Renewal: mod_md – OCSP stapling 15
- 16. APACHECON North America Certbot configCertbot config <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/jfclere.noip.me/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/jfclere.noip.me/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> 16
- 17. APACHECON North America mod_mdmod_md <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on </VirtualHost> – Signed certificates valid for 90 days. – Challenge to prove you own the host/domain. ● HTTP/DNS/TLS-SNI/TLS-ALPN – Renewal: certbot renew – Renewal: mod_md – OCSP stapling 17
- 18. APACHECON North America mod_mdmod_md <VirtualHost _default_:443> ServerName jfclere.noip.me:443 SSLEngine on </VirtualHost> ServerAdmin jfclere@gmail.com MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf MDomain jfclere.noip.me – Note you have to restart the server the first time: The Managed Domain jfclere.noip.me has been setup and changes will be activated on next (graceful) server restart. – SElinux: setsebool -P httpd_can_network_connect 1 18
- 19. APACHECON North America staplingstapling MDMustStaple (mod_md) MDMustStaple On SSLUseStapling (mod_ssl in ssl.conf) SSLStaplingCache shmcb:/run/httpd/sslstapingcache(512000) <VirtualHost _default_:443> SSLUseStapling On ... openssl s_client -connect jfclere.noip.me:443 -status OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Sep 3 14:28:00 2019 GMT 19
- 20. APACHECON North America ACME V2ACME V2 Not backward compatible with V1 Requires mod_md 2.x mod_md v2.1.5 (beta) let's encrypt V2 services [Test for V2 clients.] Soon in httpd V1 will be sunset “ at some point in the future”. 20
- 21. APACHECON North America Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@httpd.apache.org ● dev@httpd.apache.org ● https://github.com/apache/httpd ● https://github.com/jfclere/AC2014scripts/blob/master/httpdssl.txt : commands for demos. 21