Configuring HTTPS & SSL

After recent scares of the NSA spying on the world and security flaws in web technologies, like Beast, the time to secure web servers has never come at a better time. I will talk about certain web technologies that can help to prevent such an attack made on web servers. I will be basing this article on CentOS 6. These are my experiences over the past year whilst learning and deploying web technologies.

Why be secure in the first place?

As stated above, security issues in web technologies have almost forced all IT professionals to reconsider how they approach security, like me I personally have a couple of web servers hosted on the Internet. At first I configured them to run but with not much configured in terms of security. Of course, the web servers are CLI only, using SSH as the main connection to configuring the servers. But of course, where there’s hackers there is a way into any system.

I actually started caring about security when flaws started to appear in web technologies, I had to be, as on one of my servers I host a forum based website for a client with user information stored on it. This meant that I needed to increase my security and to also make sure that any data was backed up, off site. It doesn’t take much to configure systems securely.

Making the move to HTTPS

Since I currently hosted web servers using HTTP via Apache, the first and one of the best ways to secure a web site is to use HTTPS over HTTP. The issue with HTTP traffic is none of it is encrypted, leaving it open for man-in-the-middle attacks, who can easily view the data being sent forwards and backwards to the client/web server. HTTPS on the other hand encrypts the traffic, allowing non of the data to be read, at least, read easily. The only way HTTPS traffic can be viewed is if the data was decrypted.

However, it is not as simple as enabling HTTPS/SSL on a server and away you go. As well as configuring SSL on the server, to make sure that you have a valid public certificate you need to buy a SSL certificate. You can create a self-signed certificate but since this has nothing to validate itself against you will be prompted with an SSL error. There are many SSL certificate providers out there. Some costing more than others. I can only suggest that you get an SSL certificate that you need as costs can spiral quickly, particularly if you’re using one for personal use.

The actual configuration

So you’ve decided to go ahead and actually configure your server to include HTTPS/SSL but you don’t know what to do next. This next stage is all about planning for your SSL certificate, making sure that once you have bought one that you can import the certificate, configure a couple of settings and away you go. The commands that I will be using are for Apache running on CentOS 6. If you’re using another Linux distro you may have to search around a How-To but the principal is still the same.

1. Install SSL for Apache – sudo yum install mod_ssl openssl
2. Create a folder on the server to hold your SSL certificates – make sure you create another folder that Apache ONLY has access to as this will hold your key file
3. Open up /etc/httpd/conf.d/ssl.conf – add and/or configure the following lines below between the VirtualHost tags:

SSLEngine On SSL
SSLHonorCipherOrder On
SSLInsecureRenegotiation off
SSLProtocol all -SSLv2 -SSLv3
Header always add Strict-Transport-Security "max-age=15768000"
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

The configuration for the SSLCipherSuite can be configured in many ways depending on the audience that the server will be serving. For a couple of configurations click on this link.

SSLCertificateFile /etc/httpd/ssl/domain.crt
SSLCertificateChainFile /etc/httpd/ssl/ca_chain.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key

You will more than likely configure the SSLCertificate lines above after you have bought an SSL certificate.

Certificate time

Now it’s time to get yourself an SSL certificate. There are many SSL certificate providers out there. If you’re wanting to try an SSL certificate or you’re using it for personal use, or you don’t have a lot of money you can get fairly cheap certificates. StartSSL.com provide free certificates, but, from my experience, it is a bit of a pain to set up although it works just fine after the setup. Comodo provide a 90 day free trial for their certificate. The setup process is simple and fairly straight forward. I did get stuck but using their help links/prompts guided me through without any major issues.

To generate a certificate you need a key and CSR file. Run the following commands to generate both files.

openssl genrsa -out /etc/httpd/ssl/apache/server.key 2048 openssl req -new -sha256 -key /etc/httpd/ssl/apache/server.key -out /etc/httpd/ssl/server.csr

As part of the generation of the CSR, you will get prompts to enter information about your organisation. You can follow this guide for more information. Once the CSR is generated, open the CSR file and copy ALL data from the CSR. This information will need to be used as part of gaining your SSL certificate.

Once you have a certificate put the certificate itself and the intermediate certificate onto your server. Configure the SSLCertificate lines above. You need to complete at least the three lines above for your certificate to work but you can also include the line SSLCACertificateFile, and the path to that certificate, which will include the root certificate of the CA. This will, as a last resort, confirm to your browser that your SSL certificate is legit, but in the real world only the intermediate certificate is needed. Once you have set the SSLCertificate lines above, restart apache with the command service httpd restart which will apply all modified settings.

Testing

Now you can browse to your domain starting with https:// at the start. If done correctly the server will be running and showing HTTPS in the URL. Once it’s running and everything seems fine you can get your server tested with Qualys SSL Labs server test. This will confirm if you have any issues with your server. With the settings above it should get you a rating of A+ with a high rate of browser support.

You’re almost there

So you have a fully functioning HTTP and HTTPS server but wait, you can use either HTTP or HTTPS. You’ve just spent the past 30 minutes to an hour configuring your server to allow encrypted traffic and you still have unencrypted traffic. What gives? It is really easy to push all HTTP traffic to HTTPS and it is done right on your server. If you add the three lines below into your httpd.conf file, located in /etc/httpd/conf, it will make sure that all web traffic going to and from your server is encrypted. Make sure that you put the lines ibetween the tags if you have virtual host enabled. If not then you can put those lines anywhere in the file.

RewriteEngine On
RewriteCond %{SERVER_PORT}!443
RewriteRule (.*) https://%{HTTP_HOST}$1 [R]