Presentation is loading. Please wait.

Presentation is loading. Please wait.

Apache HTTP Server SSL End-to-End

Published byEdgar Hugh Goodman Modified over 7 years ago

Similar presentations

Presentation on theme: "Apache HTTP Server SSL End-to-End"— Presentation transcript:

1 Apache HTTP Server SSL End-to-End
William A. Rowe Jr. Staff Engineer; Pivotal Member; ASF, HTTP Server and APR Projects

2 Getting Started Guidance is changing annually Web references have grown stale Plain is nearing extinction

3 Follow Up-to-date Resources
Several authors are doing a thorough job of explaining TLS issues in clear language. Ivan Ristić's blog Adam Langley's blog

4 Update to Modern Tools OpenSSL provides the necessary TLSv1.2 facilities Apache HTTP Server 2.4 connects the dots for OpenSSL features Forward Secrecy, stronger hashes and ECC cryptography all require these updates

5 Choose 2? (Or only one?) Confidentiality, performance or compatibility? Evaluate the scope of confidentially: Value? RoI vs Bitcoin mining Trading off for performance Trading off for compatibility

6 Protocols SSLv2 is dead (and buried)
SSLv3 (effectively TLSv1.0) is headed in that direction TLSv1.2 addresses a spectrum of weaknesses (But OpenSSL 1.0.1h is necessary to avoid new issues)

7 Ciphers The Big List (Several downsides) openssl ciphers
A simplified list (Efficient and Secure) openssl ciphers 'HIGH:MEDIUM:!aNULL:!MD5' Teach your server to enforce -your- policy

8 Certs and Keys RSA – MD5? A better RSA ECDHE

9 (Perfect?) Forward Secrecy
The Goal – discontinuity between sessions SSLSessionCacheTimeout [300] ECDSA keys offer efficiency ECDH/RSA remains a compromise

10 OCSP (and Stapling) Confirming continued validity – evolved from revocation lists OCSP Failure cases – overloaded providers and unroutable traffic Stapling partially solves these issues

11 Sessions Cache and considerations Tickets and considerations
Spanning the load balancer

12 Renegotiation Server initiated Client initiated, pre- TLSv1.1
Client initiated with TLSv1.1

13 Under Control The enterprise case; known user agents
The operations case; peering application servers The forward proxy case; all bets are off?

14 The Design Conundrums TLS compression – Do Not Use
Encoding: gzip | deflate risks Client-supplied Input Reflection Cookies, HTTP headers, form contents

15 Broken Clients The perils of parallel consumers
Sharing SSL Sessions between adversarial parties BREACH is a browser/application hosting defect

16 An Ongoing Process http://www.openssl.org/news/vulnerabilities.html
- what's coming next?

17 Questions? Yes – SNI (Server Name Indication) in httpd 2.4 now allows modern clients to use a single IP address for multiple certificates, and presents them based on the TLS SNI hostname indicated by the client. Old clients will still need either a wildcard certificate or a list of AltSubjectNames in the certificate to host multiple virtual hosts at a single IP address. Some tools for maintaining CA lists can be found in the openssl tools/ source directory (these are generally not installed by-default in vendor distributions).

Download ppt "Apache HTTP Server SSL End-to-End"

Similar presentations

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Session 10 Windows Platform Eng. Dina Alkhoudari.

Session 10 Windows Platform Eng. Dina Alkhoudari.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Apache HTTP mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent Technologies.

Apache HTTP mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent Technologies.
Module 11: Implementing ISA Server 2004 Enterprise Edition.

Module 11: Implementing ISA Server 2004 Enterprise Edition.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.

Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Similar presentations

Ads by Google