Security/Server Side TLS: Difference between revisions

Jump to navigation Jump to search

Security/Server Side TLS (view source)

Revision as of 16:15, 3 October 2014

1,636 bytes added ,  3 October 2014
→‎Haproxy
Line 310: Line 310:


<pre>
<pre>
global
    # set default parameters to the Intermediate configuration
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
frontend ft_test
frontend ft_test
  mode    http
    mode    http
  bind    0.0.0.0:443 ssl crt /path/to/<cert+privkey+intermediate+dhparam> ciphers <recommended_ciphersuite>
    bind    0.0.0.0:443 ssl no-sslv3 crt /path/to/<cert+privkey+intermediate+dhparam>
  # Enable this if your want HSTS (recommended, but be careful)
    # Enable this if your want HSTS (recommended)
  # rspadd  Strict-Transport-Security:\ max-age=15768000
    # rspadd  Strict-Transport-Security:\ max-age=15768000
</pre>
== OCSP Stapling support ==
While HAProxy can serve OCSP stapled responses, it cannot fetch and update OCSP records from the CA automatically. The OCSP response must be downloaded by another process and placed next to the certificate, with a '.ocsp' extension.
<pre>
/etc/haproxy/certs/
├── ca.pem
├── server_cert.pem
├── server_bundle.pem
└── server_bundle.pem.ocsp
</pre>
The file 'server_bundle.pem.ocsp' must be retrieved and updated at regular intervals. A cronjob can be used for this:
<pre>
$ openssl ocsp -noverify -issuer /etc/haproxy/certs/ca.pem -cert /etc/haproxy/certs/server_cert.pem -url http://ocsp.startssl.com/sub/class1/server/ca -no_nonce -header Host ocsp.startssl.com -respout /etc/haproxy/certs/server_bundle.pem.ocsp
</pre>
The URL above is taken from the server certificate:
<pre>
$ openssl x509 -in server_cert.pem -text | grep OCSP
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
</pre>
</pre>


Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1022076"

Navigation menu