Skip to content

Instantly share code, notes, and snippets.

@brainsik

brainsik/tls-notes.md

Created March 31, 2015 18:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save brainsik/1d1986b8d28cbbaa35bc to your computer and use it in GitHub Desktop.
Save brainsik/1d1986b8d28cbbaa35bc to your computer and use it in GitHub Desktop.
Download ZIP
TLS notes
Raw
tls-notes.md

Server config

Mozilla Operations Security (OpSec) team:

Strong SSL Security on nginx

Generate new Ephemeral Diffie-Hellman (DHE) parameter

openssl dhparam 4096 -out dhparam.pem

These get generated for Postfix and Nginx. Weaker keys get rotated regularly (via cron).

From Strong SSL Security on nginx:

All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. Since we're using a 2048-bit certificate, DHE clients will use a weaker key-exchange than non-ephemeral DH clients.

Generate a new CSR

openssl req -nodes -newkey rsa:2048 -keyout site_dom.key -out site_dom.csr

Copy certs and keys

When adding multiple certs to a single file, the order is: local, intermediate, etc.

Example:

cat site_dom.crt intermediate.crt > /etc/ssl/certs/site_dom.pem

Test public/private key pair match

openssl x509 -noout -modulus -in public.crt | openssl sha256
openssl rsa -noout -modulus -in private.key | openssl sha256

Test a TLS connection

openssl s_client -connect example.org:993 </dev/null

Test an SNI TLS connection

openssl s_client -connect example.org:443 -servername sub.example.net </dev/null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment