Rootmanual:SSL: Skillnad mellan sidversioner
Busk (diskussion | bidrag) mIngen redigeringssammanfattning |
|||
(12 mellanliggande sidversioner av 3 användare visas inte) | |||
Rad 2: | Rad 2: | ||
https://wiki.mozilla.org/Security/Server_Side_TLS går igenom mycket som är bra att veta om hur man ställer in sin httpd, t.ex. cipher suites osv. |
https://wiki.mozilla.org/Security/Server_Side_TLS går igenom mycket som är bra att veta om hur man ställer in sin httpd, t.ex. cipher suites osv. |
||
http://www.lysator.liu.se/~busk/ssllabs/ - I teorin automagiskt uppdaterande version av nedanstående tabell (för port 443 enbart) |
|||
= Inventering av certifikat = |
= Inventering av certifikat = |
||
{| class="wikitable" |
{| class="wikitable" |
||
! host !! CN !! port !! Certificate !! Protocol support !! Key exchange !! Cipher strength !! Rating !! Valid from !! Valid until !! Key !! Signature algorithm !! TLS1.2 !! TLS1.1 !! TLS1.0 !! SSL3 !! SSL2 !! PFS !! HSTS !! OCSP !! NPN !! SPDY !! analyze.py (mozilla-nivå) !! annat |
! host !! CN !! port !! Certificate !! Protocol support !! Key exchange !! Cipher strength !! Rating !! Valid from !! Valid until !! Key !! Signature algorithm !! TLS1.2 !! TLS1.1 !! TLS1.0 !! SSL3 !! SSL2 !! PFS !! HSTS !! OCSP !! NPN !! SPDY/HTTP2 !! analyze.py (mozilla-nivå) !! annat |
||
|- |
|- |
||
| |
|[[Admin]] ||[https://www.ssllabs.com/ssltest/analyze.html?d=admin.lysator.liu.se&hideResults=on admin] ||443 || 100 || 95 || 90 || 90 || A+ || 2017-11-10 || 2020-11-18 || RSA4096 ||SHA512wRSA || Y || Y || Y || N || N || Y || Y || Y || Y || Y || || |
||
|- |
|- |
||
|bugzilla||[https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.lysator.liu.se&hideResults=on bugzilla] ||443||100 || 95 || 80 || 90 || A || 2015-02-03 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || N || N || N || "intermediate" när OCSP || Kortvarig HSTS, OBS: Alternative name: *.bug-attachments.lysator.liu.se |
|bugzilla||[https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.lysator.liu.se&hideResults=on bugzilla] ||443||100 || 95 || 80 || 90 || A || 2015-02-03 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || N || N || N || "intermediate" när OCSP || Kortvarig HSTS, OBS: Alternative name: *.bug-attachments.lysator.liu.se |
||
Rad 30: | Rad 32: | ||
|ldap || ldap || || || |||| || ||2014-11-17 || 2017-11-16 || RSA2048 || SHA256wRSA || || || || || || || || || || || || |
|ldap || ldap || || || |||| || ||2014-11-17 || 2017-11-16 || RSA2048 || SHA256wRSA || || || || || || || || || || || || |
||
|- |
|- |
||
|bernadotte ||[https://www.ssllabs.com/ssltest/analyze.html?d=lists.lysator.liu.se&hideResults=on lists] ||443 || 100 || 95 || |
|bernadotte ||[https://www.ssllabs.com/ssltest/analyze.html?d=lists.lysator.liu.se&hideResults=on lists] ||443 || 100 || 95 || 90 || 90 || A+ || 2017-11-10 || 2020-11-18 || RSA2048 || SHA512wRSA || Y || Y || Y || N || N || Y || Y || Y || N || N || "intermediate" när OCSP och DHE >2048 || |
||
|- |
|- |
||
|login || [https://www.ssllabs.com/ssltest/analyze.html?d= |
|login || [https://www.ssllabs.com/ssltest/analyze.html?d=login.lysator.liu.se&hideResults=on login] || 443 || 100 || 95 || 90 || 90 || A+ || 2015-02-03 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || Y || Y || Y || "intermediate" || |
||
|- |
|- |
||
|bernadotte ||mail || 25 || || || || || || 2015-02-02 || 2018-02-02|| || || || || || || || || || || || || || |
|bernadotte ||mail || 25 || || || || || || 2015-02-02 || 2018-02-02|| || || || || || || || || || || || || || |
||
|- |
|- |
||
|medreg|| [https://www.ssllabs.com/ssltest/analyze.html?d=medreg.lysator.liu.se&hideResults=on medreg]|| 443 || 100 || 95 || |
|medreg|| [https://www.ssllabs.com/ssltest/analyze.html?d=medreg.lysator.liu.se&hideResults=on medreg]|| 443 || 100 || 95 || 90 || 90|| A+ || 2015-02-03 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || Y || N || N || "intermediate(?)" || |
||
|- |
|- |
||
|succubus||[https://www.ssllabs.com/ssltest/analyze.html?d=mrtg.lysator.liu.se&hideResults=on mrtg] || 443 || 100 || 95 || 90 || 90 || A+ || 2015-02-03 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || Y || Y || Y || "intermediate" || |
|succubus||[https://www.ssllabs.com/ssltest/analyze.html?d=mrtg.lysator.liu.se&hideResults=on mrtg] || 443 || 100 || 95 || 90 || 90 || A+ || 2015-02-03 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || Y || Y || Y || "intermediate" || |
||
Rad 50: | Rad 52: | ||
|proxer ||proxer || 8006 || || || || || || 2015-02-03 || 2018-02-02 || RSA2048 ||SHA256wRSA || || || || || || || || || || ||bad || |
|proxer ||proxer || 8006 || || || || || || 2015-02-03 || 2018-02-02 || RSA2048 ||SHA256wRSA || || || || || || || || || || ||bad || |
||
|- |
|- |
||
|thinlinc ||thinlinc || |
|thinlinc ||[https://www.ssllabs.com/ssltest/analyze.html?d=thinlinc.lysator.liu.se&hideResults=on thinlinc]||443||100||95||90||50||C||2015-12-04||2018-12-12||RSA2048||SHA256wRSA||Y||Y||Y||N||N||NJA||N||N||N||N||||RC4 ska bort |
||
|- |
|- |
||
|webkom ||[https://www.ssllabs.com/ssltest/analyze.html?d=webkom.lysator.liu.se&hideResults=on webkom] ||443 || 100 || 95 || 90 || 90 || A || 2012-07-26 || 2015-09-01 || RSA2048 || SHA1wRSA || Y || Y || Y || N || N || Y || Y || N || N || N || "intermediate" när OCSP och SHA256 || ska avvecklas, är bara redirect till jskom. |
|webkom ||[https://www.ssllabs.com/ssltest/analyze.html?d=webkom.lysator.liu.se&hideResults=on webkom] ||443 || 100 || 95 || 90 || 90 || A || 2012-07-26 || 2015-09-01 || RSA2048 || SHA1wRSA || Y || Y || Y || N || N || Y || Y || N || N || N || "intermediate" när OCSP och SHA256 || ska avvecklas, är bara redirect till jskom. |
||
Rad 58: | Rad 60: | ||
|webware ||[https://www.ssllabs.com/ssltest/analyze.html?d=webware.lysator.liu.se&hideResults=on webware] ||443 || 100 || 95 || 80 || 90 || A || 2012-07-26 || 2015-07-27 || RSA2048 || SHA1wRSA || Y || Y || Y || N || N || P || N || N || N || N || "intermediate" när OCSP och SHA256 || ska avvecklas. |
|webware ||[https://www.ssllabs.com/ssltest/analyze.html?d=webware.lysator.liu.se&hideResults=on webware] ||443 || 100 || 95 || 80 || 90 || A || 2012-07-26 || 2015-07-27 || RSA2048 || SHA1wRSA || Y || Y || Y || N || N || P || N || N || N || N || "intermediate" när OCSP och SHA256 || ska avvecklas. |
||
|- |
|- |
||
|nyarlathotep || [https://www.ssllabs.com/ssltest/analyze.html?d=www.lysator.liu.se&hideResults=on www] || 443 || 100 || 95 || 90 || 90 || A || 2015-02-02 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || N || |
|nyarlathotep || [https://www.ssllabs.com/ssltest/analyze.html?d=www.lysator.liu.se&hideResults=on www] || 443 || 100 || 95 || 90 || 90 || A || 2015-02-02 || 2018-02-02 || RSA2048 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || N || Y || N || "intermediate" när OCSP || Kortvarig HSTS |
||
|- |
|||
|pike || [https://www.ssllabs.com/ssltest/analyze.html?d=pike.lysator.liu.se&hideResults=on pike] || 443 || 100 || 95 || 90 || 90 || A || 2016-05-19 || 2019-05-24 || RSA4096 || SHA256wRSA || Y || Y || Y || N || N || Y || N || N || N || N || || |
|||
|- |
|||
|pike-git || [https://www.ssllabs.com/ssltest/analyze.html?d=pike-git.lysator.liu.se&hideResults=on pike-git] || 443 || 100 || 95 || 90 || 90 || A || 2016-05-19 || 2019-05-24 || RSA4096 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || N || Y || N || || TBD |
|||
|- |
|||
|(*.)proxmox.lysator.liu.se || [https://www.ssllabs.com/ssltest/analyze.html?d=proxmox.lysator.liu.se&hideResults=on proxmox] || 443 || 100 || 95 || 90 || 90 || A+ || 2016-11-15 || 2019-11-20 || RSA4096 || SHA256wRSA || Y||Y || Y|| N|| N|| Y|| Y|| N|| Y|| N|| || wildcard-certifikat, SAN:proxmox.lysator.liu.se |
|||
|- |
|||
|(*.)pages.lysator.liu.se || [https://www.ssllabs.com/ssltest/analyze.html?d=test.pages.lysator.liu.se&hideResults=on proxmox] || 443 || 100 || 95 || 90 || 90 || A+ || 2017-10-26 || 2020-10-30 || RSA4096 || SHA512wRSA || Y||Y || Y|| N|| N|| Y|| N|| N|| Y|| N|| || wildcard-certifikat, inget SAN |
|||
|- |
|||
|pike-librarian || [https://www.ssllabs.com/ssltest/analyze.html?d=pike-librarian.lysator.liu.se&hideResults=on pike-librarian] || 443 || 100 || 95 || 90 || 90 || A || 2016-05-19 || 2019-05-24 || RSA4096 || SHA256wRSA || Y || Y || Y || N || N || Y || Y || N || Y || Y || || TBD |
|||
|} |
|} |
||
Nuvarande version från 12 oktober 2018 kl. 17.06
https://www.ssllabs.com/ssltest/analyze.html är användbar för snabb överblick över vad som kan förbättras för ett cert, även https://github.com/jvehent/cipherscan med bl.a. analyze.py kan vara behjälplig.
https://wiki.mozilla.org/Security/Server_Side_TLS går igenom mycket som är bra att veta om hur man ställer in sin httpd, t.ex. cipher suites osv.
http://www.lysator.liu.se/~busk/ssllabs/ - I teorin automagiskt uppdaterande version av nedanstående tabell (för port 443 enbart)
Inventering av certifikat
host | CN | port | Certificate | Protocol support | Key exchange | Cipher strength | Rating | Valid from | Valid until | Key | Signature algorithm | TLS1.2 | TLS1.1 | TLS1.0 | SSL3 | SSL2 | PFS | HSTS | OCSP | NPN | SPDY/HTTP2 | analyze.py (mozilla-nivå) | annat |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Admin | admin | 443 | 100 | 95 | 90 | 90 | A+ | 2017-11-10 | 2020-11-18 | RSA4096 | SHA512wRSA | Y | Y | Y | N | N | Y | Y | Y | Y | Y | ||
bugzilla | bugzilla | 443 | 100 | 95 | 80 | 90 | A | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | N | N | "intermediate" när OCSP | Kortvarig HSTS, OBS: Alternative name: *.bug-attachments.lysator.liu.se |
datorhandbok | datorhandbok | 443 | 100 | 95 | 80 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | N | N | "intermediate" när OCSP och DHE >2048 | |
enodia | enodia | 443 | 100 | 95 | 80 | 90 | 2012-07-26 | 2015-07-27 | RSA2048 | SHA1wRSA | Y | Y | Y | N | N | Y | N | N | N | N | "intermediate" när OCSP och SHA256 | ska avvecklas alt. nyinstalleras | |
ftp | ftp | 443 | 100 | 95 | 90 | 90 | A | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | Y | Y | Y | "intermediate" | |
gluten | git | 443 | 100 | 95 | 80 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA2wRSA | Y | Y | Y | N | N | Y | Y | N | Y | N | "intermediate" | |
httpkom | httpkom | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | N | N | "intermediate" när OCSP | |
bernadotte | imap | 143 | 2015-02-02 | 2018-02-02 | |||||||||||||||||||
jabber | lysator.liu.se | 5222 | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | IM Observatory, Observera CN vid förnyande | ||||||||||||||||
jskom | jskom | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | N | N | "intermediate" när OCSP | |
ldap | ldap | 2014-11-17 | 2017-11-16 | RSA2048 | SHA256wRSA | ||||||||||||||||||
bernadotte | lists | 443 | 100 | 95 | 90 | 90 | A+ | 2017-11-10 | 2020-11-18 | RSA2048 | SHA512wRSA | Y | Y | Y | N | N | Y | Y | Y | N | N | "intermediate" när OCSP och DHE >2048 | |
login | login | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | Y | Y | Y | "intermediate" | |
bernadotte | 25 | 2015-02-02 | 2018-02-02 | ||||||||||||||||||||
medreg | medreg | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | Y | N | N | "intermediate(?)" | |
succubus | mrtg | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | Y | Y | Y | "intermediate" | |
succubus | nagios | 443 | 100 | 95 | 90 | 90 | A | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | N | Y | Y | Y | "intermediate" | |
succubus | nagiosql | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | Y | Y | Y | "intermediate" | |
bernadotte | pop | 2015-02-02 | 2018-02-02 | ||||||||||||||||||||
proxar | proxar | 8006 | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | bad | ||||||||||||||||
proxer | proxer | 8006 | 2015-02-03 | 2018-02-02 | RSA2048 | SHA256wRSA | bad | ||||||||||||||||
thinlinc | thinlinc | 443 | 100 | 95 | 90 | 50 | C | 2015-12-04 | 2018-12-12 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | NJA | N | N | N | N | RC4 ska bort | |
webkom | webkom | 443 | 100 | 95 | 90 | 90 | A | 2012-07-26 | 2015-09-01 | RSA2048 | SHA1wRSA | Y | Y | Y | N | N | Y | Y | N | N | N | "intermediate" när OCSP och SHA256 | ska avvecklas, är bara redirect till jskom. |
bernadotte | webmail | 443 | 100 | 95 | 90 | 90 | A+ | 2015-02-02 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | Y | N | N | "intermediate" när OCSP och DHE >2048 | |
webware | webware | 443 | 100 | 95 | 80 | 90 | A | 2012-07-26 | 2015-07-27 | RSA2048 | SHA1wRSA | Y | Y | Y | N | N | P | N | N | N | N | "intermediate" när OCSP och SHA256 | ska avvecklas. |
nyarlathotep | www | 443 | 100 | 95 | 90 | 90 | A | 2015-02-02 | 2018-02-02 | RSA2048 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | Y | N | "intermediate" när OCSP | Kortvarig HSTS |
pike | pike | 443 | 100 | 95 | 90 | 90 | A | 2016-05-19 | 2019-05-24 | RSA4096 | SHA256wRSA | Y | Y | Y | N | N | Y | N | N | N | N | ||
pike-git | pike-git | 443 | 100 | 95 | 90 | 90 | A | 2016-05-19 | 2019-05-24 | RSA4096 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | Y | N | TBD | |
(*.)proxmox.lysator.liu.se | proxmox | 443 | 100 | 95 | 90 | 90 | A+ | 2016-11-15 | 2019-11-20 | RSA4096 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | Y | N | wildcard-certifikat, SAN:proxmox.lysator.liu.se | |
(*.)pages.lysator.liu.se | proxmox | 443 | 100 | 95 | 90 | 90 | A+ | 2017-10-26 | 2020-10-30 | RSA4096 | SHA512wRSA | Y | Y | Y | N | N | Y | N | N | Y | N | wildcard-certifikat, inget SAN | |
pike-librarian | pike-librarian | 443 | 100 | 95 | 90 | 90 | A | 2016-05-19 | 2019-05-24 | RSA4096 | SHA256wRSA | Y | Y | Y | N | N | Y | Y | N | Y | Y | TBD |
P = Partial
DHE = Diffie-Hellman key exchange (Apache 2.2 klarar bara 1024 bitar stor parameter; minst 2048 rekommenderas)
Apache 2.2 klarar inte heller OCSP, eftersom det började stödas först i 2.3.3. Bör aktiveras för apacher på debian när debian 8 blir stable och hinkar uppgraderats.