[2017.OCt.20] We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
On October 7, when I tested my site by SSL Server Test, I found ‘OCSP Must Staple Not Supported’ on it. So, I re-checked the old test report and also saw ‘OCSP Must Staple Not Supported’ there. I talked about this with くりくりさん at my Japanese blog comments. We also talked about Extended Validation(EV), CHACHA20, and Certificate Transparency(CT). But, these three are not available for my server now. EV is expensive. CHACHA20 Apache official version already supports but Apache Lounge version 2.4.23, which is my server current version, hasn’t yet. If I want to use, I need to build the supported version by myself. This is difficult for me. CT Apache hasn’t supported yet.
However, I changed several things about my server TLS environment.
[1 OCSP_MUST_STAPLE]
As the script dehydrated (former name letsencrypt.sh
) supports ‘OCSP Must Staple’ and has the option for it in the config file, I changed that and force-renewed the certificates.
The change in the config file.
#OCSP_MUST_STAPLE="no" ↓ OCSP_MUST_STAPLE="yes"
For the force-renewal easily, you can use LetEncryptsh.bat. You need the next temporary change of the batch file.
bash --login -i -c "/usr/local/letsencrypt.sh/letsencrypt.sh -c" ↓ bash --login -i -c "/usr/local/letsencrypt.sh/letsencrypt.sh -c -x"
Then, run LetEncryptsh.bat. After that, you have to back the above line to its original.
By the way, I took this occasion to delete ‘ECDHE-RSA-AES256-SHA’ from my SSLCipherSuite and to make SSLProtocol support TLS1.2 only. Here is SSL Server Test result at this point.
[2 ECDH (Elliptic curve Diffie–Hellman)]
When I was checking the config file of dehydrated
, I found the option about public key algorithm including secp384r1. So I created certificates using ECDH key exchange.
Before you start, check your OpenSSL supports secp384r1 or not.
Run cmd.exe.
>pushd /pathto/Apache24/bin
>openssl ecparam -list_curves
(snip) secp384r1 : NIST/SECG curve over a 384 bit prime field (snip)
The change in the config file.
#KEY_ALGO=rsa ↓ KEY_ALGO=secp384r1
Run LetEncryptsh.bat for the force-renewal.
Confirm you got ECDH certs. Run cmd.exe.
>pushd /pathto/Apache24/bin
>openssl ec -in /pathto/server.key -text
read EC key Private-Key: (384 bit) priv: (snip) pub: (snip) ASN1 OID: secp384r1 NIST CURVE: P-384 writing EC key -----BEGIN EC PRIVATE KEY----- (snip) -----END EC PRIVATE KEY-----
Here is SSL Server Test result and SSLCipherSuite at this point.
[3 Cipher Strength at least 256-bit]
Change SSLCipherSuite. I customized Mozilla modern profile. Like this.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ↓ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
Restart Apache.
Here is SSL Server Test result at this point.
[4 Both ECDH kx 384-bit and Cipher Strength at least 256-bit]
Add next two lines to the ssl.conf.
SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp384r1
Restart Apache.
Here is SSL Server Test result and SSLCipherSuite at this point.
[5 ECDH kx 384-bit]
Change SSLCipherSuite. Like this.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
Leave next two lines in the ssl.conf.
SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp384r1
Restart Apache.
Here is SSL Server Test result at this point.
This 5th is my current configuration.
The recipe for sweet potato yōkan that I often made this fall. Ingredients Sweet potato…
After a long time, when I checked broken links and fixed them, I got an…
I made a box, so I prepare the contents. Theme and Plugins. The theme is…
Hehe, it's been almost a year since my last post. I received a notification email…
About a week ago, I finally started to renew my sites, which I had been…
This website uses cookies.