securing communications with your apache http server
play

Securing Communications with your Apache HTTP Server Lars - PowerPoint PPT Presentation

Oct 27, 2022 •315 likes •786 views

Securing Communications with your Apache HTTP Server Lars Eilebrecht Lars@apache.org Securing Communications with your Apache HTTP Server About Me About Me Lars Eilebrecht Independent IT Consultant based in London, UK

  1. Securing Communications with your Apache HTTP Server Lars Eilebrecht Lars@apache.org

  2. Securing Communications with your Apache HTTP Server About Me About Me ● Lars Eilebrecht ● Independent IT Consultant – based in London, UK ● Contributor to the Apache HTTP Server project since 1996 ● Co-founder and member of The Apache Software Foundation ● Member of the ASF Security T eam ● www.eilebrecht.net

  3. Securing Communications with your Apache HTTP Server Agenda Agenda ● Overview ● X.509, Keys and Certifjcates ● SSL/TLS protocol ● Apache HTTP Server confjguration ● Basic confjguration details ● Virtual Hosting and ACME Protocol Module ● Cipher and Protocol confjguration ● Session Caching and TLS Session Tickets ● Advanced Features

  4. Securing Communications with your Apache HTTP Server Why HTTPS and TLS? Why HTTPS and TLS? ● Confjdentiality and Data Privacy ● protects data from eavesdropping ● only the intended recipient can read the data ● Authentication ● allows for identifjcation of server and optionally, the client ● Data Integrity ● ensures that nobody can tamper with the data that is being transmitted

  5. Securing Communications with your Apache HTTP Server Keys and Certifjcates Keys and Certifjcates ● X.509: ITU-T standard (1988) for PKIs ● PKI: Public-Key Infrastructure ● CA: Certifjcation Authority ● CSR: Certifjcate Signing Request ● CRL: Certifjcate Revocation List

  6. Securing Communications with your Apache HTTP Server Common X.509 File Types and Extensions Common X.509 File Types and Extensions ● PEM : base64-encoded DER certifjcate(s) or private key(s) ● DER : binary format based on Distinguished Encoding Rules (encoded ASN.1 values) ● p12 : PKCS#12 format, certifjcate(s) and/or private key(s) ● key : commonly used for a PEM-encoded private key ● crt/cer : commonly used for a PEM-encoded certifjcate ● csr : commonly used for a PEM-encoded certifjcate signing request

  7. Securing Communications with your Apache HTTP Server PEM-encoded Certifjcate Example PEM-encoded Certifjcate Example -----BEGIN CERTIFICATE----- MIIC2zCCAkSgAwIBAgIJANWZuQf40KViMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV BAYTAlhYMQwwCgYDVQQIEwNYWFgxDDAKBgNVBAcTA1hYWDEMMAoGA1UEChMDWFhY MQwwCgYDVQQLEwM2NjYxDDAKBgNVBAMTAzY2NjAeFw0wODEwMDEyMzU1MDlaFw0w [...] BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAFlaHQEXQdMVfvTay5x6fECa QiefllN/69931EFmNX0mlpV8pFZ448PtoGlXiNd+rnfe2ttjPfmh4CXDN9q7NPUO qntygrcWsGJxmVlu5s2q6KumrysEdqr+Da70zyed3Tfj/QYJfG1HAzfLCVZRKFQE EuxxMbZd6XBXcXenuZzn -----END CERTIFICATE-----

  8. Securing Communications with your Apache HTTP Server Certifjcate Structure Certifjcate Structure ● Certifjcate ● Version ● Serial Number ● Signature Algorithm ● Issuer ● Validity Period ● Subject ● Subject Public Key Info ● Issuer Unique Identifjer ( optional ) ● Subject Unique Identifjer ( optional ) ● Extensions ( optional ) ● Certifjcate Signature Algorithm ● Certifjcate Signature

  9. Securing Communications with your Apache HTTP Server Certifjcate Subject DN Certifjcate Subject DN ● DN : Distinguished Name ● a sequence of identifjers in X.500 notation ● Common DN Keys: ● CN : Common Name (e.g., fjrst/last name or hostname) ● C : Country (2-letter code) ● S : State or province ● L : Locality (e.g, City) ● O : Organization ● OU : Organizational Unit ● Example DN: C=DE, L=Berlin, O=Example Inc., CN=www.example.com

  10. Securing Communications with your Apache HTTP Server Common Name for Server Certifjcates Common Name for Server Certifjcates ● Fully-qualifjed domain name (FQDN) ● e.g., www.example.com ● does not match example.com ● Wildcard domain ● e.g., *.example.com ● matches example.com and hosts such as foo.example.com ● does not match www.foo.example.com or example.com.foo

  11. Securing Communications with your Apache HTTP Server Certifjcate Types Certifjcate Types ● Single-domain certifjcates ● Wildcard certifjcates ● Multi-domain (SAN) certifjcates ● uses SubjectAlternativeName X.509 extension ● Extended validation (EV) certifjcates ● available since 2007 and supported by Firefox 3+, IE 7+, Edge 12+, Opera 9.5+, Safari 3.2+ and Chrome 1+

  12. Securing Communications with your Apache HTTP Server Extended Validation Certifjcates Extended Validation Certifjcates

  13. Securing Communications with your Apache HTTP Server Obtaining a Certifjcate Obtaining a Certifjcate ● create your own ● self-signed certifjcate ● signed by your own CA ● get a free certifjcate ● free certifjcates from “Let's Encrypt” CA ● trial or free certifjcates from commercial CAs ● buy a certifjcate from a CA ● domain-only, organization or extended validation (6€ up to 1000€ per year)

  14. Securing Communications with your Apache HTTP Server Let's Encrypt CA Let's Encrypt CA ● https://letsencrypt.org ● Certifjcates are free of charge ● Fully automated validation ● Standard domain-validation certifjcates ● Multi-domain/SAN certifjcates ● Certifjcates are valid for 90 days ● Not valid as client certifjcate ● Supported by all modern Web clients ● Service provided by Internet Security Research Group (ISRG) since April 2016 (non-profjt organisation)

  15. Securing Communications with your Apache HTTP Server Browser SSL Warnings Browser SSL Warnings If the browser doesn't know the issuing CA or if the server hostname does not match the certifjcate it displays a warning to the user.

  16. Securing Communications with your Apache HTTP Server Certifjcate Chain Certifjcate Chain ➔ Root Certifjcate ➔ Intermediate Certifjcate 1 ➔ Intermediate Certifjcate n ➔ End-Entity (Leaf) Certifjcate (Server/Client Certifjcate)

  17. Securing Communications with your Apache HTTP Server SSL vs. TLS SSL vs. TLS ● SSL: Secure Sockets Layer ● origi nally developed by Netscape (1994) ● SSL 2.0 and 3.0 deprecated and insecure ● TLS: Transport Layer Security ● IETF standard (1999) ● TLS 1.0, 1.1, 1.2, and 1.3 ● TLS 1.0, 1.1 should no longer be used ● When people talk about SSL these days they actually mean TLS. ● An “SSL certifjcate” is an X.509 certifjcate for use with TLS.

  18. Securing Communications with your Apache HTTP Server Apache SSL/TLS Module - mod_ssl Apache SSL/TLS Module - mod_ssl ● Included as default module since Apache HTTP Server version 2.0 ● Uses OpenSSL library ● Supports TLS 1.0, 1.1, 1.2 protocols ● TLS 1.3 supported in Apache 2.5-dev (with OpenSSL 1.1+) ● SSL 3.0 is still supported, but SSL 2.0 support was removed in Apache HTTP Server version 2.4 ● (Apache HTTP Server 2.0 and 2.2 are end of life!)

  19. Securing Communications with your Apache HTTP Server Module Confjguration Module Confjguration ● Required modules: ● LoadModule ssl_module modules/mod_ssl.so ● LoadModule socache_shmcb_module \ modules/mod_socache_shmcb.so ● SSL configuration file: ● Include conf/extra/httpd-ssl.conf

  20. Securing Communications with your Apache HTTP Server Basic Confjguration Basic Confjguration ● Certifjcate and private key (PEM format): ● SSLCertificateFile \ /usr/local/apache2/conf/ssl/server.crt ● SSLCertificateKeyFile \ /usr/local/apache2/conf/ssl/server.key ● Ensure the key file is only readable by root ● Enable SSL (per virtual host): ● SSLEngine On ● Listen 443

  21. Securing Communications with your Apache HTTP Server Intermediate CA Certifjcates Intermediate CA Certifjcates ● Add server and all intermediate certifjcates to a single fjle and use SSLCertificateFile ● Sort multiple certifjcates from leaf to root certifjcate! ● Multiple server certifjcates can be added to support (difgerent authentication algorithms (ECC, RSA, DSA, etc.) ● SSLCertificateChainFile became obsolete with version 2.4.8

  22. Securing Communications with your Apache HTTP Server TLS Virtual Hosting TLS Virtual Hosting ● TLS can be enabled for any virtual host ● Name-based virtual hosts with SSL/TLS only possible with SNI support available in Apache 2.4 ● SNI: TLS Server Name Indication ● Clients must support SNI as well ● Clients without SNI support get either the fjrst virtual host or a “403 Forbidden” response if SSLStrictSNIVHostCheck is enabled

  23. Securing Communications with your Apache HTTP Server ACME Protocol (Let's Encrypt) Module ACME Protocol (Let's Encrypt) Module ● mod_md (Managing Domains) ● Available since 2.4.30, but still experimental! ● Enable certifjcate management for a virtual host: ● MDomain example.com www.example.com ● MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf ● ServerAdmin webmaster@example.com

  24. Securing Communications with your Apache HTTP Server Ciphers and Protocols (default) Ciphers and Protocols (default) ● Defjne ciphers and protocol: ● SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES ● SSLHonorCipherOrder On ● SSLProtocol All -SSLv3 ● Cipher string format ( SSLCipherSuite ): ● prefjx with “ ! ” to permanently remove ciphers ● prefjx with “ - ” to remove ciphers ● prefjx with “ + ” to add ciphers (unless they have been removed with “ ! ”)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using FastCGI with Apache HTTP Server FastCGI with Apache httpd Comparisons between the

Using FastCGI with Apache HTTP Server FastCGI with Apache httpd Comparisons between the

Using FastCGI with Apache HTTP Server Jeff Trawick The world of FastCGI Using FastCGI with Apache HTTP Server FastCGI with Apache httpd Comparisons between the contenders Jeff Trawick Configuration Future November 3, 2010 Table of

1.34k views • 110 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale Details Security Future 11/16/2014 2 Apache Traffic Server Fast, scalable and extensible HTTP/1.1 compliant caching proxy server

1.52k views • 45 slides
Sun GlassFish Web Stack Deep Dive Apache HTTP Server Performance Jeff Trawick Sun GlassFish Web

Sun GlassFish Web Stack Deep Dive Apache HTTP Server Performance Jeff Trawick Sun GlassFish Web

Sun GlassFish Web Stack Deep Dive Apache HTTP Server Performance Jeff Trawick Sun GlassFish Web Stack, Sun Microsystems What role can Apache play in the performance of the overall system Alternatives (Lighttpd, Sun Web Server) Tuning for

924 views • 64 slides
Debugging Tricks with Apache HTTP Server Introduction 2.4 What kinds of issues encountered

Debugging Tricks with Apache HTTP Server Introduction 2.4 What kinds of issues encountered

Debugging Tricks with Apache HTTP Server 2.4 Jeff Trawick Debugging Tricks with Apache HTTP Server Introduction 2.4 What kinds of issues encountered Using tools to look inside the Jeff Trawick web server Looking from

906 views • 58 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

81 views • 5 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

199 views • 5 slides
Testing your REST Server with Apache JMeter By Henry Chan June, 2015 hchan@apache.org Download:

Testing your REST Server with Apache JMeter By Henry Chan June, 2015 hchan@apache.org Download:

Testing your REST Server with Apache JMeter By Henry Chan June, 2015 hchan@apache.org Download: https://github.com/hchan/jmeterDemo What is JMeter good for? http://jmeter.apache.org/ What can I do with it? Apache JMeter may be used

569 views • 20 slides
Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick November 6, 2012 Who

Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick November 6, 2012 Who

Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick Interfacing Apache HTTP Server 2.4 with External Applications Jeff Trawick November 6, 2012 Who am I? Interfacing Apache HTTP Server 2.4 with External Met Unix

985 views • 61 slides
Apache FTP Server integration Yoann Canal - twitter.com/y_canal Sophiacom Agenda Apache FTP

Apache FTP Server integration Yoann Canal - twitter.com/y_canal Sophiacom Agenda Apache FTP

MONTREAL JUNE 30, JULY 1ST AND 2ND 2012 Apache FTP Server integration Yoann Canal - twitter.com/y_canal Sophiacom Agenda Apache FTP Server overview First step: integration in your project Authentication through WebObjects

300 views • 18 slides
Securing the Social Web by Moving Beyond Client-Server Security Tyler Close Google, engineer

Securing the Social Web by Moving Beyond Client-Server Security Tyler Close Google, engineer

QCon SF 2010 file:///home/recht/projekt/qcon/wed/Securing the w... Securing the Social Web by Moving Beyond Client-Server Security Tyler Close Google, engineer Client-Server Model Isolated clients connect to a single server. One

448 views • 6 slides
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member and long time Apache user Interested in usability and lowering the learning curve for Apache Comanche GUI configuration tool Teach Yourself

258 views • 25 slides
Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix

Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix

Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix Meschberger > Senior Developer, Day Management AG > fmeschbe@day.com > http://blog.meschberger.ch > VP Apache Sling > Apache

584 views • 32 slides
Securing Enterprise Extender Sam Reynolds Tony Amies Ray Romney IBM z/OS Communications

Securing Enterprise Extender Sam Reynolds Tony Amies Ray Romney IBM z/OS Communications

Securing Enterprise Extender Sam Reynolds Tony Amies Ray Romney IBM z/OS Communications William Data Systems Cisco Systems Server Design Product Architect romney@cisco.com samr@us.ibm.com tony.amies@willdata.com Session 3608 SHARE 2004

854 views • 31 slides
Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos D. Keromytis Department of Computer Science Columbia University, USA Clients securing their traffic to a server TLS unavailable at the server

682 views • 18 slides
TRIGGERFLOW Regression Testing by Advanced Execution Path Inspection 20 June 2019 Iaroslav

TRIGGERFLOW Regression Testing by Advanced Execution Path Inspection 20 June 2019 Iaroslav

default TRIGGERFLOW Regression Testing by Advanced Execution Path Inspection 20 June 2019 Iaroslav Gridin Cesar Pereida Garca Nicola Tuveri Billy Bob Brumley Tampere University, Tampere, Finland 1 / 15 default Outline Analysis

528 views • 15 slides
Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and

Kubelet to Istio: Kubernetes Network Security Demystified FOSDEM SPEED RUN @sublimino and @controlplaneio @sublimino Im: - Andy - Dev-like - Sec-ish - Ops-y @sublimino What is Network Security @sublimino Why do we need Network

1.54k views • 108 slides
TomcatCon Apache Tomcat and TLS Mark Thomas TM Introduction TM Why This Presentation? L o

TomcatCon Apache Tomcat and TLS Mark Thomas TM Introduction TM Why This Presentation? L o

T M TomcatCon Apache Tomcat and TLS Mark Thomas TM Introduction TM Why This Presentation? L o t s o f q u e s t i o n s a b o u t T L S o n t h e T o m c a t m a i l i n g l i s t s It is clear from the questions many folks dont

1.08k views • 41 slides
P4EC: Enabling Terabit Edge Computing in Enterprise 4G LTE Max Hollingsworth Jinsung Lee

P4EC: Enabling Terabit Edge Computing in Enterprise 4G LTE Max Hollingsworth Jinsung Lee

P4EC: Enabling Terabit Edge Computing in Enterprise 4G LTE Max Hollingsworth Jinsung Lee Zhang Liu Jihoon Lee Sangtae Ha Dirk Grunwald 1 From Few MNOs to Many 2012 FCC. Amendment of the Commissions Rules with Regard to

369 views • 15 slides
Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda OS/Cloud security

1.16k views • 78 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
CSE 344 Introduc/on to Data Management Sec/on 9: AWS, Hadoop, Pig La/n Yuyin Sun Homework 8

CSE 344 Introduc/on to Data Management Sec/on 9: AWS, Hadoop, Pig La/n Yuyin Sun Homework 8

CSE 344 Introduc/on to Data Management Sec/on 9: AWS, Hadoop, Pig La/n Yuyin Sun Homework 8 (Last hw J ) 0.5 TB (yes, TeraBytes!) of data 251 files of ~ 2GB each btc-2010-chunk-000 to btc-2010-chunk-317 You will write pig queries

351 views • 31 slides
Investigation of the environment influence for the underground and cryogenic gravitational wave

Investigation of the environment influence for the underground and cryogenic gravitational wave

Investigation of the environment influence for the underground and cryogenic gravitational wave detector, KAGRA 16th International Conference on TAUP 2019 2019/09/10, Toyama International Conference Center, Toyama, Japan Takaaki Yokozawa(ICRR)

475 views • 15 slides

More recommend