SSL / SSH cheatsheet
SSL, keys, hashes, ciphers, and certs have gotten pretty confusing lately:
If you are not already really really comfortable with how encrypting all the things works, there are some painful details to be learned. If you’ve got services that you run, host, configure, own, or whatever, you should learn it all. After you’ve done all of that here’s what I make of it:
All of your settings and servers are probably not great, you should make all new keys and check all of your settings.
As you do that, here is the cheatsheet version of what doesn’t suck:
Set aside all of your old keys in ~/.ssh, and make new ones:
ssh-keygen -t ecdsa -b 521
…and if your OpenSSH isn’t new-ish, you might get an error. On OS X, with homebrew already installed, I like
brew install openssh --with-keychain-support && brew link openssh --force
…and if you can’t update your OpenSSH version:
ssh-keygen -t rsa -b 15360
A 15k key you say? Crazy you say? Yes. Then again, NIST and ENISA said 15k, so I figure that applies everywhere you have to use RSA.
Edit ~/.ssh/config and use only strong ciphers by adding:
NIST, ENISA, and probably others recommend a 15k RSA key as your private key for an SSL certificate:
openssl genrsa -out private.key 15360
If you need to make a certificate signing request (CSR) you need to make sure you’re using SHA-2:
openssl req -new -sha512 -key private.key -out request.csr
…which may or may not work with your CA, or the site you’re buying your certificate from. In which case:
openssl req -new -sha256 -key private.key -out request.csr
…and if they don’t like that use someone else.
Apache (or whatever you’re configuring to use SSL)
To keep things simple, I’m only going to outline apache. I’m using version 2.4.7 as of this second. Other servers have similar settings. If they don’t, don’t use them.
Wherever you configure mod_ssl, e.g. /etc/apache2/mods-enabled/ssl.conf or somewhere similar like that, you should set this:
SSLProtocol -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 SSLHonorCipherOrder on SSLCipherSuite ALL:!aNULL:!EXPORT:!LOW:!MEDIUM:!RC2:!3DES:!MD5:!DSS:!SEED:!RC4:!PSK:@STRENGTH
You can tighten the screws even more by adding
!SHA1 in the list before
@STRENGTH, which is really cool until you realize you’re breaking everything but recent browsers, phones, tablets, and other devices.
Then, wherever you have
<VirtualHost *:443> blocks, or however you’ve specified you’re hosting on an encrypted port, you should add:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Which sets a mode that says “now that we’re talking over SSL all of my dependencies had better be over SSL too.”