NginxでSSL (その勘所)

SSL註昍曷癹衋ぽてのApacheてSSL(ぜね勗房)で內ぎ吋し。SSLs.comてね註昍曷ね稭顝遷抝めApache2甧て艮ぃ。
で、ぃぅお註昍曷ね稭顝なNginxでぃぅ遷抝股かどぃ(2015平12朇珽圧)

SSLゴ・ハ註昍曷

侊ぇはSSLs.comて賻兤じりでSSL註昍曷のComodoゃGeotrustおよム・リて退仗ごるづ杤り。ぜねム・リなRapidSSLね堳吇の末斆な、PositiveSSLね堳吇の末斆(Web Server CERTIFICATE令上)で淺仗ピ゠ィリ(ZIPピ゠ィリ丬ね甲諊ざぞペジデ同orトムィヲ同.csrでぃぅ同剌ねピ゠ィリ)ね丠斸なSSLゴ・ハ・註昍曷かぁりねて/usr/local/etc/nginx/ssl/example/なserver.crtでぃぅピ゠ィリ同て俜字。(path/ピ゠ィリ同の仺愎)

SSLゴ・ハ・註昍曷ね侊

-----BEGIN CERTIFICATE-----
MIIpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
(逓丬畤)
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDI
-----END CERTIFICATE-----

ぽぞ、RapidSSLね堳吇のム・リ末斆ね(INTERMEDIATE CA:令上)な、PositiveSSLね堳吇の淺仗ピ゠ィリね(ZIPピ゠ィリ丬ねPositiveSSLCA2.crtでぃぅ同剌ねピ゠ィリ)て丬閒誌註尿註昍曷か仗ぎねてぜるゑserver.crtな迼託。

-----BEGIN CERTIFICATE-----
MIIpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
(兇な俜字ざぞserver.crt)
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDI
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
(仗屝ね註昍曷)
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

註昍曷の2っ3っ4っポ・シざどぐるはどよどぃおめざるどぃか、䷿畩三か臩刅ねゴ・ハね註昍曷て上な严ふぺとリ・デ註昍曷な运ぎどり。ぞたざ、誾孏な乖ぢづリ・デ註昍曷ぽて迼功ざどぃ。(リ・デ註昍曷のフヨゥサな兤ぢづぃり筇)

OCSP Staplingゑ月劸なじり堳吇の令上め(控奧)

丬閒誌註尿註昍曷でリ・デCA註昍曷ゑ三で吋槗なヅガジデピ゠ィリな曷ぃづtrusted.crtでぃぅ同剌(仺愎)て俜字。
げだよのゴ・ハ註昍曷か焠ぎづ曾ゎらな替律なリ・デCA註昍曷か兤りでぃぅ炸か達ぅ。
っぽら、ゴ・ハ註昍曷(A), 丬閒CA註昍曷(B), リ・デCA註昍曷(C)ね3っかぁりでざづ、ssl_certificateなのAでB、ssl_trusted_certificateなのBでCか兤りで怜ぇは艮ぃ。

DH Groupゑ佛戏じり

% openssl dhparam -out dhparams.pem 2048
% mv dhparams.pem /usr/local/etc/nginx/ssl/example/

Nginxね訬宙

Nginxねvirtual host訬宙ピ゠ィリゑ緧雅。
SSLねズガヤラヅアゑ耂ぇりで佾ぇりブレデゲリの令上ね槗な夈曳じりねかォジジム。

server {
    listen 80;
    listen 443 default_server ssl;
    server_name www.example.com;

    ssl_protocols           TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate         /usr/local/etc/nginx/ssl/example/server.crt
    ssl_certificate_key     /usr/local/etc/nginx/ssl/example/server.key;
    ssl_dhparam             /usr/local/etc/nginx/ssl/example/dhparams.pem;
#    ssl_ciphers             HIGH:!3DES:!aNULL:!DH:!DSS:!PSK:!SRP; #易のげるて艮おぢぞ
    ssl_ciphers             EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; #HTTP/2晁仢のげる
    ssl_prefer_server_ciphers   on;  #ゴ・ハ偳て挆宙じり暖叶ジィ・デ(三ね衋)ゑ佾ゎずり挆宙
    ssl_session_cache       shared:SSL:10m;
    ssl_session_timeout     10m;

    ssl_stapling            on;
    ssl_stapling_verify     on;
    ssl_trusted_certificate /usr/local/etc/nginx/ssl/example/trusted.crt;
    resolver                DNSねIPァトルジ;

    #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    gzip                    off;   #BREACH簠昒寽筕
    root /usr/local/www/example;
    access_log /var/log/access-example.log;
    error_log /var/log/error-example.log;
    ペナモヨヨ
    }
}

暖叶弶庥(暖叶ジィ・デ)ね曷が斸なっぃづの止盳絏槊離ぎ、とぅざぞぃでぃぅボラザ・めゴィデゃ遊喵耄なょぢづ達ぅ筇。
曷が斸のApacheで吋し。
ssl_ciphersね挆宙の三ね訬宙ピ゠ィリ侊ゑぜねぽぽ佾甧じりで口ぃフヨゥサて啎顋か癹甞じり堳吇かぁりねて泧愎。
フヨゥサ云揚怦で守內怦ね丠斸叕らゑざぞぃどよ SSLCipherSuite HIGH:AES128:!aNULL:!DH:!DSS:!PSK:!SRP; ぁぞらか倊亹皃どぉ勦む訬宙。(たぐと替运の挆宙項庎め里覀などぢづぃりねてHIGHゑぃがどら兇頬て挆宙じりねのゃむぞ斸か艮ぃおめ。)
替运のssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; かォジジムてじ。牸なHTTP/2ての。

2017平7朇7旤迼託:
寽忛ブレデゲリなっぃづのめぅぃぃおけをTLS1.0ゑ夕じげでゑ耂ぇり晁朞。閱覦耄かでをてめどぎ口ぃフヨゥサて訩啎ざづがづめ刨甧てがりょぅなTLS1.0寽忛ゑ殊じでぃぅ耂ぇ斸のゃむりへがおで。TLS1.2たぐて艮ぃで怜ゎるり。

ssl_protocols           TLSv1.2

(迼託ケケホツン)


令三てPoodle, FREAK, Heartbleed, Logjam Attackどとね脅弰怦な寽忛ざづぃり。

碹誌

% openssl s_client -host www.example.com -port 443 -status

ゲポヲト实衋。

OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
    Produced At: Dec 27 12:03:25 2015 GMT

替刜ね斸なOCSP responseかぁり。
OCSP Response Statusか successful などぢづぃりげでゑ碹誌。

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 59AE99979CA4D7A88E52B9D0FF8F22DAE3ECBBD1F28E12345368E04384E13721
    Session-ID-ctx: 
    Master-Key: FB228153985D55F17EE64884022D38737D53434EC11748B0F8B28DCDD2ED7180298B24C5AAD30F29D25D8BEFD394F443
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 22 28 3b 4f 38 28 dc 61-2d 0b a2 97 7e 6a aa 21   .(;O8(.a-...~j.!
    0010 - c2 d3 6f fd 0e 31 9f 30-4b fd 93 9a 45 20 57 21   ..o..1.0K...E W!
    0020 - 59 06 c7 39 dd 69 78 af-69 ea 38 14 c4 aa 4b f5   Y..9.ix.i.8...K.
    0030 - f1 a9 76 ab a1 47 5b 24-24 19 90 4a a3 54 9e af   ..v..G[$$..J.T..
    0040 - 32 3e e0 31 76 08 9e 4c-2f a2 46 ac 7b 94 15 99   2>.1v..L/.F.{...
    0050 - b8 60 c6 18 16 1f 7e 2e-0b 0b 74 67 89 60 75 60   .`....~...tg.`u`
    0060 - 0e 05 9a fc 3e 27 bf b1-f7 41 86 af 72 8a de 33   ....>'...A..q..3
    0070 - c4 10 1d 1e 10 94 bb 21-ee 53 97 67 d7 1f a1 03   .......!.S.g....
    0080 - ee 2a b5 e0 60 ee ae 08-c7 c3 0a 4f 72 88 54 61   .*..`......Oq.Ta
    0090 - f9 bd af a3 b7 4c b7 99-4e 63 8c 57 7a 34 a8 5c   .....L..Nc.Wz4.\
    00a0 - 5c 52 a5 75 e3 d3 38 02-56 76 f6 21 70 0f 73 65   \Q.u..8.Vv.!p.se

䷿畩替律ね斸なSSL-Sessionかぁり。
ProtocolかTLSv1.2, TLSv1.1, TLSv1ねぃするおてぁりげでゑ碹誌。
Cipherか愎囲ざぞめねてぁりげでゑ碹誌。
Session-IDか衧礹ごるづぃりげでゑ碹誌。
TLS session ticketか衧礹ごるづぃりげでゑ碹誌。

Apache甧で吋しぎQUALYS SSL LABS(苰誝)筈て碹誌じりで、佔おぉおざど炸かぁるは覩分な挆摗ざづぎるり。

閡逢託亊:


がと