-
Notifications
You must be signed in to change notification settings - Fork 0
/
Step3b-Lock.html
173 lines (173 loc) · 16.1 KB
/
Step3b-Lock.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Debian/Ubuntu Step 3b - Online Certificate Status Protocol (OCSP) Stapling" />
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Debian, Ubuntu, Elliptical Curves, RSA, Encryption, Online Certificate Status Protocol, OCSP, Certificate Stapling, CRIME Attack, Diffie-Helman, DH" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step3b - OCSP Stapling (Debian/Ubuntu)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheDebianSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Debian/Ubuntu</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 3b - Online Certificate Status Protocol (OCSP) Stapling - <span class="red"> Mandatory Step!!!</span></h3>
<p class="card-text"> While it may appear that allowing the site operator to control verification responses would allow a fraudulent site to issue false verification for a revoked certificate, the stapled responses can't be forged as they need to be directly signed by the certificate authority, not the server. If the client does not receive a stapled response, it will just contact the OCSP server by itself. However, if the client receives an invalid stapled response, it will abort the connection. The only increased risk of OCSP stapling is that the notification of revocation for a certificate may be delayed until the last-signed OCSP response expires.</p>
<p class="card-text">As a result, clients continue to have verifiable assurance from the certificate authority that the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means that the client software no longer needs to disclose users' browsing habits to any third party.</p>
<p class="card-text">Overall performance is also improved: When the client fetches the OCSP response directly from the CA, it usually involves the lookup of the domain name of the CA's OCSP server in the DNS as well as establishing a connection to the OCSP server. When OCSP stapling is used, the certificate status information is delivered to the client through an already established channel, reducing overhead and improving performance - <a href="https://en.wikipedia.org/wiki/OCSP_stapling" title="OCSP Stapling" target="_blank">Wikipedia</a></p>
<h4>Global use of the OCSP for all sites using Apache <span class="green">(Preferred Method)</span></h4>
<pre>nano /etc/apache2/mods-enabled/ssl.conf</pre>
<h5>Add the following <span class="blue">blue lines</span> below into the ssl.conf under the Pseudo Random Number Generator (PRNG) section.</h5>
<p class="card-text">This will allow for the global use of the DHParam and allow us to determine what Elliptical Curves we use to use in order.</p>
<p class="card-text"> SSLRandomSeed startup builtin <br>
SSLRandomSeed startup file:/dev/urandom 512 <br>
SSLRandomSeed connect builtin <br>
SSLRandomSeed connect file:/dev/urandom 512<br>
<span class="blue">SSLOpenSSLConfCmd Options -SessionTicket <span class="orange"> <--- Not allow people to reconnect insecurely</span><br>
SSLCompression off <span class="orange"> <--- Do not allow compression to prevent <a href="https://en.wikipedia.org/wiki/CRIME" title="CRIME attack" target="_blank"> CRIME</a> attack </span><br>
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem" <span class="orange"> <--- Allow all sites to use the DHParam globally instead of being putting every website configuration file</span><br>
SSLOpenSSLConfCmd ECDHParameters secp384r1 <span class="orange"> <--- This will be the preferred curve we want when people come to our site</span><br>
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1<span class="orange"> <--- What curves we are allowing to be used on our site</span></span></p>
<pre>SSLOpenSSLConfCmd Options -SessionTicket
SSLCompression off
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1</pre>
<h5>Change or uncomment the following <span class="blue">blue lines</span> under the Inter-Process Session Cache section in the ssl.conf</h5>
<pre class="blue">SSLSessionCache shmcb:/run/apache2/sslcache(512000)
SSLSessionCacheTimeout 60
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"</pre>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Add/Change the following <span class="blue">blues lines</span> in the Website config file</h4>
<pre>nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf</pre>
<p class="card-text"> <IfModule mod_ssl.c><br>
<VirtualHost *:443><br>
ServerAdmin [email protected]<br>
ServerName EXAMPLE.com<br>
ServerAlias www.EXAMPLE.com<br>
DocumentRoot /var/www/html/EXAMPLE<br>
DirectoryIndex index.html<br>
LogLevel info ssl:warn<br>
ErrorLog /var/log/apache2/error.log<br>
CustomLog /var/log/apache2/access.log combined<br>
SSLEngine on<br>
SSLCertificateFile /etc/apache2/ssl/www_EXAMPLE_com.crt<br>
SSLCertificateKeyFile /etc/apache2/ssl/rsa_EXAMPLE.key <strong> or </strong> ec_EXAMPLE.key<br>
SSLCertificateChainFile /etc/apache2/ssl/EXAMPLE_CA.crt<br>
<span class="blue">SSLUseStapling on</span><br>
<span class="blue">SSLStaplingResponderTimeout 5</span><br>
<span class="blue">SSLStaplingReturnResponderErrors off</span><br>
SSLCACertificatePath /etc/ssl/certs/<br>
#SSLCACertificateFile /etc/apache2/ssl/<br>
...............<br>
</VirtualHost><br>
</IfModule></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart apache2</pre>
<h4>Local use in the Apache Website config file <span class="orange">(Alternative Method)</span></h4>
<pre>nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf</pre>
<p class="card-text"><IfModule mod_ssl.c><br>
<br>
<span class="blue">SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)</span><br>
<span class="blue">SSLSessionCacheTimeout 60</span><br>
<span class="blue">SSLStaplingCache "shmcb:logs/stapling-cache(512000)"</span><br>
<br>
<VirtualHost *:443><br>
ServerAdmin [email protected]<br>
ServerName EXAMPLE.com<br>
ServerAlias www.EXAMPLE.com<br>
DocumentRoot /var/www/html/EXAMPLE<br>
DirectoryIndex index.html<br>
LogLevel info ssl:warn<br>
ErrorLog ${APACHE_LOG_DIR}/error.log<br>
CustomLog ${APACHE_LOG_DIR}/access.log combined<br>
SSLEngine on<br>
SSLCertificateFile /etc/apache2/ssl/www_EXAMPLE_com.crt<br>
SSLCertificateKeyFile /etc/apache2/ssl/rsa_EXAMPLE.key <b> or </b> ec_EXAMPLE.key<br>
SSLCertificateChainFile /etc/apache2/ssl/EXAMPLE_CA.crt<br>
<span class="blue">SSLUseStapling on</span><br>
<span class="blue">SSLStaplingResponderTimeout 5</span><br>
<span class="blue">SSLStaplingReturnResponderErrors off</span><br>
<span class="blue">SSLOpenSSLConfCmd Options -SessionTicket</span><br>
<span class="blue">SSLCompression off </span><br>
<span class="blue">SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"</span><br>
<span class="blue">SSLOpenSSLConfCmd ECDHParameters secp384r1 </span><br>
<span class="blue">SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1:prime192v1</span><br>
...............<br>
</VirtualHost><br>
</IfModule></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart apache2</pre>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step3a-Lock.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a> <a class="text-secondary float-right" href="Step3c-Lock.html"> NEXT <i class="fa fa-arrow-right fa-2x"></i></a> </div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>