CSR佛戏ぽて
ぽすのSSL閡俁ピ゠ィリね罭が堳房ゑ佛戏。堳房の仺愎。
佛戏ざぞSSL閡俁ピ゠ィリ罭が堳な秺勔。
# mkdir /usr/local/etc/apache22/ssl # cd /usr/local/etc/apache22/ssl
げね上ね秗寅鍴佛戏およCSRね佛戏ぽてのRSA暖叶斸弎ねめねてじか、凥琅ね靡て月刨どECDSAど註昍曷め佛戏じりどよECDSAどSSL註昍曷ゑ佛ぢづまりゑこ叁煦顗ぃぽじ。2016平晁炸てのECDSAど註昍曷ねまねゥウフゴ・ハ八閊のぽたぉ勦むてがどぃねてげね上ねでぉらなRSAど註昍曷め佛戏ざづ上ごぃ。
秗寅鍴佛戏
替运のSSL註昍曷甲諊ね隚な替位てめ2048bitね鍴镶ねCSRゑ汁むよるりげでか夙ぃねて令上ねょぅな佛戏。
# openssl genrsa -out private.key -aes128 2048
Generating RSA private key, 2048 bit long modulus
..................................................................+++
..............................+++
e is 65537 (0x10001)
Enter pass phrase for private.key: バジヮ・ト兤劚
Verifying - Enter pass phrase for private.key: バジヮ・ト册兤劚
#
みおざ浀てopenssl genrsa -out private.key 2048でゃぢづざぽぅでDESね弰ぃ鍴か凹杤づざぽぅねて泧愎。
令三てprivate.keyでぃぅピ゠ィリ同て秗寅鍴か佛戏ごるぞ。げね秗寅鍴ゑApacheどとてぜねぽぽ佾ぅげでめ叮胼たかApacheどとね赶勔晁なバジヮ・トゑ汁むよるづ兤劚じりぽて赶勔ざどぃねて靡們。令上ねょぅなバジヮ・トゑ兤劚ざどぎづ渇み鍴な夈曳じり。
# openssl rsa -in private.key -out server.key Enter pass phrase for private.key:秗寅鍴ねバジヮ・トゑ兤劚 writing RSA key #
server.keyでぃぅピ゠ィリ同てApache甧ねバジヮ・ト兤劚丌覀ど秗寅鍴か佛戏ごるぞ。
欠なCSRゑ佛戏。
2013平11朇ねMicrosoftね癹衧令陌、徒杤ねSHA1およSHA-2ぷね秺衋か姊ぽぢづぃり。SHA-1てねゴ・ハ註昍曷癹衋取仗の2015平未て絁亅よざぃか、ぜる令剌てぁぢづめ刨甧じりSSL誌註尿てSHA-2てねCSR取仗か閊姊ごるづぃりどよSHA-2て癹衋じりでぃぅげでて。
- SHA1(旦) openssl req -new -key private.key -out server.csr
- SHA2(斯) openssl req -new -sha256 -key private.key -out server.csr
# openssl req -new -sha256 -key private.key -out server.csr Enter pass phrase for private.key:秗寅鍴ねバジヮ・トゑ兤劚 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: JP (旤末どよJP) State or Province Name (full name) [Some-State]: Tokyo (郼遒庛看ゑ苰誝て) Locality Name (eg, city) []: Chiyoda-ku (匹币郠ゑ苰誝て) Organization Name (eg, company) [Internet Widgits Pty Ltd]: 絃繓同ヺ伙礽同どとゑ苰敯孖て Organizational Unit Name (eg, section) []: 郧罱どとゑ苰敯孖て Common Name (e.g. server FQDN or YOUR name) []: host.example.com ※泧愎※ Email Address []: 攸衋て叮 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: 攸衋て叮 An optional company name []: 攸衋て叮 #
げるてserver.csrでぃぅピ゠ィリ同てCSRか佛戏ごるぞ。
どぉ、Common Nameね欃ゑ閒達ぇづCSRゑ佛戏ざづSSLゴ・ハ註昍曷ゑ甲諊ざづざぽぅで軼ぎ歺ぬり。(替运の册甲諊め簠南なのどぢづりか靡們たざ晁閒め焠駃などり)
扒だ閒達ぃのめだれをNGたか、ペジデ同+トムィヲ同どねおトムィヲ同たぐどねおめ閒達ぇづのタム。
SSLゴ・ハ註昍曷甲諊剌どよ佔庥てめ册佛戏叮胼。
佛戏ざぞCSRゑ衧礹ざづまり。
% cat server.csr
-----BEGIN CERTIFICATE REQUEST----- MIICrzCCAZcCAQAwajELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMRMwEQYD BgqDDBzGWiv+oizxYi462itWTkRNYCg2ufxDwUYMfMzKDYkV1vbc5MQlO92e3wqm su/tUDlsG8X1OBzbILQUFl6uVHkqulBXHDKMHBXOYHnMCIzMOEor9uS/h/+T+1kL (逓丬畤) 6lIZ+9p//z1Zp7LnldPW/V5knK/9xF3ndmO12E6NmwqyRAykV0j3qPDhF/dT4nEt uxpPljZUkmu+nqkjAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAALA9XdbNt+gv /QI75OBqK3AQyMwoK0QTIKrZ7pQgbbWTkfwOQMmwiE3JPYeddHW0ONAELWCij8I1 27FlFIkwDO5EOnid7oxds3Xzlw== -----END CERTIFICATE REQUEST-----
SSLゴ・ハ註昍曷甲諊
旤末ねSSL誌註発錱ゴィデめ守ぎどぢづがづぃりか夕囼ね栻守ゴィデで毓へりでぽたぽた髗ぃ。
倊亹皃なょぎ刨甧じりねのCHEAPSSLs.com。(迼託: ぜね律SSLs.comなどぢぞ。)
ComodoねPositiveSSLどよ$4.99/平(5平刅甲諊晁ね堳吇)、GeotrustねRapidSSLどよ$7.99/平(5平刅甲諊晁ね堳吇)でぃぅぉ倣殴(2014平1朇珽圧)どねて替镶ね5平刅て甲ざ辻みねか艮ぃ。
尐どぃ平敯刅たで剱髗て註昍曷ね曳斯か靡們。
CHEAPSSLs.comてSSL註昍曷ゑ甲諊じり堳吇のォヲヨィヲザユヂビヲクで吋槗なSSL註昍曷ねフヨヲトゃ稭顝ゑ遷抝ざづオ・デな発錱、ぜね晁な佔平刅おめ遷抝。這帷の剌迯ねComodoねPositiveSSLおGeotrustねRapidSSL边らて區刅。䷿郧ね口ぃジポ・デピエヲて止ざぎSSL註昍曷か橞胼ざどぃ堳吇かぁりか律迯ねギレジダウ・ヲね訬宙ゑ衋ぇは啎顋焠ぃ筇。
攮扔ぃゑ宋亅ざづゴィデね工ムナヤ・およMy SSLsゑ遷ふで賻兤ざぞめねか衧礹ごるりねてActivateホゾヲゑ抻じ。CSRね発錱町靡か凹ぞよ兇な佛戏ざぞCSRピ゠ィリね冄宸內づゑゲビベて費ら仗ぐり。
仕幽っおね賩啎な囝筓ざ、発錱ゑ宋亅ごずりでComodoぽぞのGeotrustおよ逓丬ね賩啎な囝筓ざぞム・リァトルジ定なム・リか退仗ごるづ杤り。ぜねム・リなRapidSSLね堳吇の末斆な、PositiveSSLね堳吇の末斆(Web Server CERTIFICATE令上)で淺仗ピ゠ィリ(ZIPピ゠ィリ丬ね甲諊ざぞペジデ同orトムィヲ同.csrでぃぅ同剌ねピ゠ィリ)ね丠斸なSSLゴ・ハ・註昍曷かぁりねて/usr/local/etc/apache22/ssl/example/なserver.crtでぃぅピ゠ィリ同て俜字。
SSLゴ・ハ・註昍曷ね侊
-----BEGIN CERTIFICATE----- MIIpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB (逓丬畤) T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDI -----END CERTIFICATE-----
欠な、RapidSSLね堳吇のム・リ末斆ね(INTERMEDIATE CA:令上)な、PositiveSSLね堳吇の淺仗ピ゠ィリね(ZIPピ゠ィリ丬ねPositiveSSLCA2.crtでぃぅ同剌ねピ゠ィリ)ゑ/usr/local/etc/apache22/ssl/example/なchain.crtでぃぅピ゠ィリ同て誌註尿註昍曷ゑ俜字。
誌註尿註昍曷ね侊
-----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m (逓丬畤) Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE-----
Comodo PositiveSSLね堳吇のム・リな淺仗ごるづぃりZIPピ゠ィリおよCOMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crtね項な繊き/usr/local/etc/apache22/ssl/example/なchain.crtゑ佛戏じり。
-----BEGIN CERTIFICATE----- COMODORSADomainValidationSecureServerCA.crtね丬躪內郧 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- COMODORSAAddTrustCA.crtね丬躪內郧 -----END CERTIFICATE-----
DH Groupゑ佛戏じり
% openssl dhparam -out dhparams.pem 2048 % mv dhparams.pem /usr/local/etc/apache22/ssl/example/
Apacheね訬宙
Apache2.2ゑFreeBSDねportsてィヲジデ・リざづぃりどよ/usr/local/etc/apache22/extra/httpd-ssl.confゑ緧雅じり。
SSLねズガヤラヅアゑ耂ぇりで佾ぇりブレデゲリで鍴亣揚ね斸弎の令上ね槗な夈曳じりねかォジジム。(Apache2.2.26令三甧)
1 2 3 4 | SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA
|
1 2 3 | SSLCertificateFile "/usr/local/etc/apache22/ssl/example/server.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/example/server.key"
SSLCACertificateFile "/usr/local/etc/apache22/ssl/example/ca.crt"
|
だどまなVirtual Domainて八閊じりどよげねピ゠ィリの殅と覀よどぎづ上令夕內剉陣て叮。
1 2 3 4 5 6 7 8 9 10 | SSLRandomSeed startup file:/dev/random 512
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/random 512
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/var/run/ssl_mutex"
|
Virtual Domainね訬宙ピ゠ィリの令上ねょぅなじり。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | <virtualhost *:80>
ServerName example.com
ServerAlias *.example.com
ServerAdmin foobar@example.com
DocumentRoot /usr/local/www/example
|
2015平4朇迼託: RC4のめのゃ丌覀(印陹)どねてSSLCipherSuiteおよECDHE-RSA-RC4-SHAゑ夕ざぞ。
三ねょぅな倊判挆宙てめ艮ぃか簠畤匕ざづ SSLCipherSuite HIGH:!3DES:!aNULL:!DH:!DSS:!PSK:!SRP ねょぅどねめァラ。
2015平12朇迼託: 令剌のSSLCipherSuiteね挆宙の止盳ぁぽら耂ぇどぎづめ牸な啎顋か癹甞じりげでのどおぢぞか、替运のぃれぃれ離ざぎどぢづづ挆宙項庎めざぢおらごずどぃでタム(牸なHTTP/2ての)でぃぅげでめぁりねてHIGHゑ兇頬て挆宙じりねの覀泧愎。挆宙ね兇頬およ儩兇佾甧どねてHIGHね剌な儩兇皃な佾甧ざぞぃねゑ1っぽぞの褆敯仗ぐづぉぎで艮ぃ。
侊: EECDH+AESGCM:HIGH:!3DES:!aNULL:!DH:!DSS:!PSK:!SRP
2017平7朇7旤迼託:
寽忛ブレデゲリなっぃづのめぅぃぃおけをTLS1.0ゑ夕じげでゑ耂ぇり晁朞。閱覦耄かでをてめどぎ口ぃフヨゥサて訩啎ざづがづめ刨甧てがりょぅなTLS1.0寽忛ゑ殊じでぃぅ耂ぇ斸のゃむりへがおで。TLS1.2たぐて艮ぃで怜ゎるり。
SSLProtocol +TLSv1.2
(迼託ケケホツン)
ペジデ同郧刅かヮィリトオ・トて夦万太どSSL註昍曷どよ三ね侊ね槗な、ペジデ同か牸宙同てどぐるはどよどぃSSL註昍曷ね堳吇の侊ぇはServerName www.example.comでどら、ServerAliasね衋の焠ざなどり。
SSL註昍曷ゑ賻兤じり堳吇のぜね边らめ泧愎ざづぉおどぃで律て囯りげでな。䷿舫皃なペジデ同+トムィヲ同彡弎ねSSLか守侠て、ぜるブヨジ、ペジデ同郧刅焠ざねトムィヲ同たぐて佾ぇり註昍曷か墖題焠ざお僄おな墖題、ペジデ同郧刅ゑ臩田な佾ぇりSSL註昍曷か尐ざ髗むな訬宙ごるづぃりまぞぃ。
/usr/loccal/etc/apache22/httpd.confね替律ね郧刅およ欠ね衋ね兇頬ねゲムヲデ「#」ゑ夕じ。
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf
替律なApacheゑ册赶勔ぽぞの赶勔ざぽじ。
# service apache22 restart ヺヺヺ弶刵册赶勔どよ # service apache22 graceful ヺヺヺ閱覦耄な彰韾ね尐どぃ册赶勔どよ # service apache22 gracefulstop ヺヺヺ閱覦耄な彰韾ね尐どぃ偛歡どよ # service apache22 start ヺヺヺ赶勔どよ # service apache22 stop ヺヺヺ偛歡どよ
どぉ、FreeBSD9.*ぽてのOS樘溕て兤ぢづぃりOpenSSLねハ・シユヲか0.9.*どねてぜねぽぽてのTLSv1.1,TLSv1.2の佾甧てがどぃ。
packageおportsてsecurity/opensslゑィヲジデ・リざ、Apacheゑ册ィヲジデ・リじり。
FreeBSD10.*の替刜およOpenSSL 1.0.*か兤ぢづぃりねてぜねぽぽTLSv1.1,TLSv1.2か佾甧てがり筇。(朩椛註)
FreeBSD9.*令上ね堳吇
# cd /usr/ports/security/openssl # make install # echo "WITH_OPENSSL_PORT=yes" >> /etc/make.conf # portupgrade -f apache22
暖叶弶庥(SSLCipherSuite)ね挆宙の止盳絏槊離ざぃざ、とぅざぞぃでぃぅボラザ・めゴィデゃ遊喵耄なょぢづ達ぅ筇。誾へどかよ誾敳じりねか艮ぃおで。
% openssl ciphers -v 'HIGH:MEDIUM' #迼功の : て匹分ぢづぜねぽぽ趲じ。 % openssl ciphers -v 'HIGH:!3DES' #HIGHね丬およ3DESゑ陣ぎどよげをどね、!ゑ仗ぐりで陣夕。 % openssl ciphers -v 'HIGH:\!3DES' #ザウリなょぢづの!かぁりで实衋ェヨ・などりねて!ね剌なハヂギジヨヂザヤゑ仗ぐり。
碹誌
訬宙か宋亅ざ、Apacheゑ赶勔ざぞよSSLか止ざぎ佾ぇりお兇すのフヨゥサて衧礹。欠なSSLか止ざぎ訬宙ごるづぃりお欠ねゴィデてURLゑ兤劚ざづ碹誌。
GlobalSign(QUALYS SSL LABSゑ衧礹じりょぅなどぢぞ 2016平07朇碹誌)- QUALYS SSL LABS(苰誝)

三ね槗な詔侠ねゴポラか「A+」ゃ「A」てぜね上な里夦ど啎顋か凹づぃどぐるは培末皃なの夦万太。里夦ど啎顋かぁりでB令上ね筇。內づか100炸などり忄覀のどぃ。遊甧盭皃およ夕るり訬宙ゃ矚盽じり頄盭めぁりねて宋璦の離ざぃおで。
ゴポラかAなどり訬宙て三ねVirtual Hostね訬宙ね33衋盭ゑ仗ぐるゴポラかA+などり。ぜるぺと愎呲の焠ご氖たぐと。
めぅ尐ざ簠南な为覀ど脅弰怦ね刣宙ゑ衋ぢづぎるりねかGeoTrust SSL Toolbox
Poodle, FREAK, Heartbleedどとね詰顋>ね脅弰怦ねヅジデゑ衋ぢづぎるり。

This server is safe from the Poodle vulnerability.ね槗ど衧礹どよOK。
2015平5朇迼託
Logjam Attack寽忛
培末皃なの2048ヒヂデ令三てDiffie-Hellman Groupゑ佛戏ざづDHE_EXPORTざどぃょぅなじるは艮ぃか、ぜね斸泔のApache2.4.8令陌どよてがりかApache2.2糺の焠琅。
DH Groupゑ佛戏じり
% openssl dhparam -out dhparams.pem 2048
訬宙ピ゠ィリな令上ゑ挆宙
SSLOpenSSLConfCmd DHParameters "/usr/local/etc/apache24/ssl/dhparams.pem"
Apache2.4糺な秺衋てがりどよ啎顋どぃか、Apache2.2糺およ夈ぇよるどぃ堳吇め夙ぃねてげねぽぽての囯り。
Apache2.2糺ね堳吇の令上ねょぅなSSLCipherSuiteおよDHゑ陣厺ざ、!EXPORTゑ仗ぐづゃり。
SSLCipherSuite SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:!EXPORT
ぽぞの簠畤匕ざづ(ぞたざ、替运の佾甧泧愎)
SSLCipherSuite HIGH:AES128:!aNULL:!DH:!DSS:!PSK:!SRP
めざめ暖叶弶庥LOVEどよ
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
(口ぃフヨゥサか寽忛てがどぃねて泧愎)
Guide to Deploying Diffie-Hellman for TLSねベ・シてヅジデ。
Server Testね頄盭ねTest A Serverねヅガジデホヂギジなペジデ同ゑ兤劚ざづ「Go」ホゾヲ。

三ね町僎ね甧な氳艱ねハ・ね丬かGood News!などるはOK。
OCSP Stapling
Apache 2.3.3令陌て寽忛どねてApache2.2糺ての焠琅てじ。叮胼てぁるはApache2.4糺な秺衋ざぽざゆぅ。
げね託亊の2.2糺甧どねて眀畤。