X
    Categories: Windows

Letsencrypt.sh on Windows-#4.

同一記事の日本語版

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
   On October 7, when I tested my site by SSL Server Test, I found ‘OCSP Must Staple Not Supported’ on it. So, I re-checked the old test report and also saw ‘OCSP Must Staple Not Supported’ there. I talked about this with くりくりさん at my Japanese blog comments. We also talked about Extended Validation(EV), CHACHA20, and Certificate Transparency(CT). But, these three are not available for my server now. EV is expensive. CHACHA20 Apache official version already supports but Apache Lounge version 2.4.23, which is my server current version, hasn’t yet. If I want to use, I need to build the supported version by myself. This is difficult for me. CT Apache hasn’t supported yet.
   However, I changed several things about my server TLS environment.

[1 OCSP_MUST_STAPLE]
   As the script dehydrated (former name letsencrypt.sh) supports ‘OCSP Must Staple’ and has the option for it in the config file, I changed that and force-renewed the certificates.
   The change in the config file.

#OCSP_MUST_STAPLE="no"
  ↓
OCSP_MUST_STAPLE="yes"

   For the force-renewal easily, you can use LetEncryptsh.bat. You need the next temporary change of the batch file.

bash --login -i -c "/usr/local/letsencrypt.sh/letsencrypt.sh -c"
  ↓
bash --login -i -c "/usr/local/letsencrypt.sh/letsencrypt.sh -c -x"

   Then, run LetEncryptsh.bat. After that, you have to back the above line to its original.
   By the way, I took this occasion to delete ‘ECDHE-RSA-AES256-SHA’ from my SSLCipherSuite and to make SSLProtocol support TLS1.2 only. Here is SSL Server Test result at this point.

[2 ECDH (Elliptic curve Diffie–Hellman)]
   When I was checking the config file of dehydrated, I found the option about public key algorithm including secp384r1. So I created certificates using ECDH key exchange.
   Before you start, check your OpenSSL supports secp384r1 or not.
   Run cmd.exe.
  >pushd /pathto/Apache24/bin
  >openssl ecparam -list_curves

  (snip)
   secp384r1 : NIST/SECG curve over a 384 bit prime field
  (snip)

   The change in the config file.

#KEY_ALGO=rsa
  ↓
KEY_ALGO=secp384r1

   Run LetEncryptsh.bat for the force-renewal.
   Confirm you got ECDH certs. Run cmd.exe.
  >pushd /pathto/Apache24/bin
  >openssl ec -in /pathto/server.key -text

  read EC key
  Private-Key: (384 bit)
  priv:
  (snip)
  pub:
  (snip)
  ASN1 OID: secp384r1
  NIST CURVE: P-384
  writing EC key
  -----BEGIN EC PRIVATE KEY-----
  (snip)
  -----END EC PRIVATE KEY-----

   Here is SSL Server Test result and SSLCipherSuite at this point.

[3 Cipher Strength at least 256-bit]
   Change SSLCipherSuite. I customized Mozilla modern profile. Like this.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ↓
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384

   Restart Apache.
   Here is SSL Server Test result at this point.

[4 Both ECDH kx 384-bit and Cipher Strength at least 256-bit]
   Add next two lines to the ssl.conf.

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1

   Restart Apache.
   Here is SSL Server Test result and SSLCipherSuite at this point.

[5 ECDH kx 384-bit]
   Change SSLCipherSuite. Like this.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256

   Leave next two lines in the ssl.conf.

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1

   Restart Apache.
   Here is SSL Server Test result at this point.

   This 5th is my current configuration.

    Ref. sites:
  1. 情報セキュリティ技術動向調査(2010 年上期) 1 楕円曲線暗号の整備動向
  2. 100% Key Exchange and Cipher Strength?
  3. Key Exchange – 100% rating issue
  4. Multiple DH/ECDH parameters in Apache 2.4.7 configuration file
o6asan :