loading...
Cover image for Enabling TLS Just got a Little Bit Easier

Enabling TLS Just got a Little Bit Easier

ssimontis profile image Scott Simontis ・3 min read

We all know that enabling HTTPS is one of the ten commandments of web development, but it's always a pain and there's always a brilliant justification to put it off until later. Well, not anymore. Mozilla has released a generator that will write your secure configuration automatically.

Whaaaa? It's true! It supports a number of webservers, including nginx and Apache, database connections (PostgreSQL and MySQL) and even some cloud resources (AWS). Several more web servers are offered, some of which I don't feel like Googling right now.

You choose from one of three security levels after you have selected the system to configure. Modern supports TLS1.3 and is great if you have no need for backwards compatibility of any sort. Unfortunately, that's not a reality we work in, so an Intermediate general-case option is available. There's an Old option which is listed as a last resort and should be avoided unless you have tested and Intermediate isn't working.

You can even control the version of OpenSSL and the server that you are using. I couldn't find any combinations of server versions and OpenSSL versions that drastically affected configurations of interest to me, but it's there for you to check out.

The only option I needed to look up was OCSP Stapling. I still don't know that I have mastered it, but here's a shot at explaining it in my own words: It is an alternative to Certificate Revocation Lists which your browser uses to find out if an SSL certificate is still trustworthy down the entire certificate chain to the root certificate. OCSP Stapling lets you make a request to OCSP servers and do this validation for the user.

That sounds like something a shady website could take advantage of, right? Actually, it is better for your privacy. Since your browser isn't doing the Revocation list check, the Certificate Authority does not have a logged request from your browser. The Certificate Status Request is sent to your browser during the TLS handshake process, so your browser can verify that the response is legit. It also speeds up the handshake process because you don't need a connection to the CA!

If that last paragraph sounded like gibberish to you, let me know and I will try to create a post going into how security certificates works. Which will probably end up being a series because it's a LOT of information!

Here is what I have been given for PostgreSQL 11.3, on the Intermediate setting, because PostgreSQL apparently doesn't support TLS 1.3 exclusively at this time. I didn't do that, and I wouldn't have known I needed this config snippet either.

# 2019-08-27, https://ssl-config.mozilla.org/#server=postgresql&server-version=11.3&config=intermediate
ssl = on

ssl_cert_file = '/path/to/signed_cert_plus_intermediates'
ssl_key_file = '/path/to/private_key'

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dh_params_file = '/path/to/dhparam.pem'

ssl_ciphers = 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

In case you missed it, here is the link again. Grab your LetsEncrypt certificate and start locking things down! If you don't know how to obtain a free certificate from LetsEncrypt, please let me know in the comments and I will make sure to write an article that helps you out.

Happy configuring everyone, and congratulations on another Monday survived!

Posted on by:

ssimontis profile

Scott Simontis

@ssimontis

Versatile software engineer with a background in .NET consulting and CMS development. Working on regaining my embedded development skills to get more involved with IoT opportunities.

Discussion

pic
Editor guide