openssl maximale bits und stärkste verschlüsselung

C

conym18

Member
hallo,

ich möchte gerne auf meinem XAMPP das openSSL ein wenig stärken.

derzeit habe ich ein Zertifikat mit:

Signaturalgorithmus: sha1RSA
Signaturhashalgorithmus: sha1
Öffentlicher Schlüssel: RSA (1024Bits)
Fingerdruckalgorithmus: sha1

Gerne würde ich auf RSA 4096 Bit und weg von sha1

Mein makecert.bat sieht derzeit folgendermaßen aus:

Code: 
@echo off
set OPENSSL_CONF=./bin/openssl.cnf

if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key

bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365


set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr

move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key

echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause

In meiner openssl.conf habe ich schon folgendes eingestellt:

default_bits = 4096

Was muss ich noch einstellen um die stärkste verschlüsselung zu erreichen?

Wenn ich noch folgende Änderung in der .conf einstelle, bleibt dies ohne Beachtung:

default_md = sha256
 
Last edited by a moderator:
In Dein Shellscript musst Du es selbst einbauen (OpenSSL >=1.0.1):
Code: 
openssl genpkey \
    -aes-256-cbc \
    -algorithm RSA \
    -pkeyopt rsa_keygen_bits:4096 \
    -out server.enc.key
openssl req \
    -new \
    -sha256 \
    -out server.csr \
    -key server.enc.key
openssl x509 \
    -req \
    -sha256 \
    -in server.csr \
    -out server.crt \
    -signkey server.enc.key
openssl pkey \
    -in server.enc.key \
    -out server.key
 
mhmm, bekomme beim SSL Report (https://www.ssllabs.com/ssltest/index.html) aber weiterhin nur Overall Rating F hin.

Hier mal der Auszug:


Authentication


Server Key and Certificate #1

Common names *.meinNAME.com
Alternative names -
Prefix handling Not required for subdomains
Valid from Fri Sep 26 06:37:01 UTC 2014
Valid until Sun Oct 26 06:37:01 UTC 2014 (expires in 29 days, 21 hours)
Key RSA 4096 bits
Weak key (Debian) No
Issuer *.pd-meinNAME.com Self-signed
Signature algorithm SHA256withRSA
Extended Validation No
Revocation information None
Trusted No NOT TRUSTED (Why?)



Additional Certificates (if supplied)

Certificates provided 1 (1526 bytes)
Chain issues None



Certification Paths

Path #1: Not trusted (path does not chain to a trusted anchor)
1 Sent by server
Not in trust store *.meinNAME.com
SHA1: 1203c86ab85a6ca67a377e51b35638eee3d0226d
RSA 4096 bits / SHA256withRSA


Configuration


Protocols

TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 Yes
SSL 2 INSECURE Yes



Cipher Suites (sorted by strength; the server has no preference)

SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080) INSECURE 40
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) INSECURE 40
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK 40
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040) INSECURE 56
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 56
SSL_CK_RC4_128_WITH_MD5 (0x10080) INSECURE 128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080) INSECURE 128
SSL_CK_IDEA_128_CBC_WITH_MD5 (0x50080) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) INSECURE 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256



Handshake Simulation

Android 2.3.7 No SNI 2 TLS 1.0 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128
Android 4.0.4 TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
Android 4.1.1 TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
Android 4.2.2 TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
Android 4.3 TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
Android 4.4.2 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
BingBot Dec 2013 No SNI 2 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
BingPreview Jun 2014 TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
Chrome 37 / OS X R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) FS 128
Firefox 24.2.0 ESR / Win 7 TLS 1.0 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) FS 256
Firefox 32 / OS X R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) FS 128
Googlebot Jun 2014 TLS 1.0 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128
IE 6 / XP No FS 1 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128
IE 7 / Vista TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
IE 8 / XP No FS 1 No SNI 2 TLS 1.0 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128
IE 8-10 / Win 7 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
IE 11 / Win 7 R TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) No FS 128
IE 11 / Win 8.1 R TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
IE Mobile 10 / Win Phone 8.0 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) No FS 128
Java 6u45 No SNI 2 TLS 1.0 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128
Java 7u25 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
Java 8b132 TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) No FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
OpenSSL 1.0.1h TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
Safari 6 / iOS 6.0.1 R TLS 1.2 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) No FS 256
Safari 7 / iOS 7.1 R TLS 1.2 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) No FS 256
Safari 8 / iOS 8.0 Beta R TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) FS 256
Safari 6.0.4 / OS X 10.8.4 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
Safari 7 / OS X 10.9 R TLS 1.2 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) No FS 256
Yahoo Slurp Jun 2014 No SNI 2 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
YandexBot Sep 2014 TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) FS 256
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).



Protocol Details

Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info) SSL 3: 0x6, TLS 1.0: 0x6
TLS compression No
RC4 Yes (not with TLS 1.1 and newer) (more info)
Heartbeat (extension) Yes
Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
Forward Secrecy With some browsers (more info)
Next Protocol Negotiation No
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes



Miscellaneous

Test date Fri Sep 26 09:01:50 UTC 2014
Test duration 95.964 seconds
HTTP status code 200
HTTP server signature Apache/2.2.21 (Win32) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.1i PHP/5.3.8
Server hostname XXXXXX.dyndsl.XXXXXXX.de
PCI compliant No
FIPS-ready No
 
hans01 said:
XAMPP und Sicherheit sind 2 Dinge die nicht zusammengehören...
Click to expand...

Wahre Worte.

@conym18:
Steht doch alles schön detailliert auf der Seite, wieso du schlechtere Bewertungen bekommst?

Du musst natürlich auch im Webserver die schlechteren Verschlüsselungen deaktivieren, um bei SSLLabs bessere Bewertungen zu bekommen - nur bessere Zertifikate helfen dagegen nicht.
Siehe: https://www.google.com/search?q=apache2 disable weak ciphers

Die Seite berechnet auch ein, ob dem Zertifikat vertraut wird oder eben nicht, etc.
 
Apache 2.4 SSL-Config:
Code: 
<IfModule ssl_module>
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect file:/dev/urandom 512
    SSLPassPhraseDialog builtin
    <IfModule socache_shmcb_module>
        SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
    </IfModule>
    <IfModule !socache_shmcb_module>
        <IfModule socache_dbm_module>
            SSLSessionCache "dbm:/var/run/ssl_scache"
        </IfModule>
        <IfModule !socache_dbm_module>
            SSLSessionCache "nonenotnull"
        </IfModule>
    </IfModule>
    SSLSessionCacheTimeout 300
    SSLCompression Off
    SSLHonorCipherOrder On
    SSLStrictSNIVHostCheck On
    SSLProtocol -ALL +TLSv1 +TLSv1.2
    SSLCipherSuite "EECDH+AES256 EECDH+AES128 EDH+AES256 EDH+AES128 !CAMELLIA !RC4 !3DES !IDEA !SEED !PSK !SRP !DSS !eNULL !aNULL !LOW !EXP"
    <FilesMatch "\.(php|phps|php5|phtml|cgi|pl|py|shtml)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    CustomLog "/var/log/httpd-ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    Include "etc/apache24/vhosts-ssl.conf"
</IfModule>
 
conym18 said:
mhmm, bekomme beim SSL Report (https://www.ssllabs.com/ssltest/index.html) aber weiterhin nur Overall Rating F hin.

Hier mal der Auszug:
[...nicht gequoteter Textblob...]
Click to expand...

Es wäre hilfreicher gewesen, einen kleinen Screenshot vom Summary zu machen, als den ganzen Text hier rein zu kotzen.
Die Balken sagen doch genau an, wo es hakt (Protipp: Kürzerer Balken mit kleinerer Zahl rechts daneben ist ein Problem).
Im weiteren Detail-Listing sind die ganzen problematischen Sachen farbig markiert (Protipp: Alles was rot ist, ist schlecht).

Wenn du eine Zusammenfassung daraus erstellst, kann dir hier sicherlich jemand bei der Behebung der Probleme helfen. Einfach alles ungefiltert (und um die leicht sichtbaren Informationen reduziert) hier abzuwerfen ist da sicherlich nicht hilfreich.

BTW:
https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide_2009e.pdf said:
...
For these reasons, any of the following certificate issues immediately result in a zero score:
...
Use of a self-signed certificate
...
Click to expand...
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top