Ssl

From silverwiki

security notes

sslv3

To remove old ssl versions, add to apache config:

SSLProtocol all -SSLv2  -SSLv3

Note on sha1/sha256

You NEED to include the -sha256 option in signing commands, or ssl will use insecure sha1 by default. Maybe libressl is smarter?

Make a root CA cert

From: http://heepy.net/mediawiki/index.php/Diy_SSL_CA_%2B_android

openssl genrsa -out rootCA.key 4096 -aes-256-cbc
openssl req -x509 -new -nodes -key rootCA.key -days 10240 -out rootCA.pem

hack your openssl.cnf to allow SANs (subject alternative names)

From: http://apetec.com/support/GenerateSAN-CSR.htm

cp /etc/ssl/openssl.cnf .

Edit the local file with the following changes:

# diff -c /etc/ssl/openssl.cnf /home/silver/ssl/openssl.cnf
*** /etc/ssl/openssl.cnf        2014-08-06 11:50:53.000000000 -0700
--- /home/silver/ssl/openssl.cnf        2015-03-11 13:18:51.026440687 -0700
***************
*** 107,112 ****
--- 107,113 ----
  default_keyfile       = privkey.pem
  distinguished_name    = req_distinguished_name
  attributes            = req_attributes
+ req_extensions = v3_req
  x509_extensions       = v3_ca # The extentions to add to the self signed cert

  # Passwords for private keys if not present they will be prompted for
***************
*** 220,225 ****
--- 221,231 ----

  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+ subjectAltName = @alt_names
+
+ [alt_names]
+ DNS.1 = silvermag.net
+ DNS.2 = www.silvermag.net

  [ v3_ca ]

Make a new cert signed by CA and using haxored conf for www. and root domain

Make a key and CSR

openssl genrsa -out myserver.key 4096 -aes-256-cbc
openssl req -new -key myserver.key -out silvermag.net.csr -config openssl.cnf -sha256

Check it:

openssl req -text -noout -in myserver.csr

Sign the CSR with the CA pem file and key

openssl x509 -req -days 365 -in myserver.csr -CA ca/rootCA.pem -CAkey ca/rootCA.key -CAcreateserial -out silvermag.net.crt -extensions v3_req -extfile openssl.cnf -sha256

Check it:

openssl x509 -text -noout -in silvermag.net.crt

Mmm... that's nice.

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:silvermag.net, DNS:www.silvermag.net

apache

Copy your existing site configuration. Change the virtual host listen port to 443, and add the following lines:

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/silvermag.net.crt
        SSLCertificateKeyFile /etc/apache2/ssl/silvermag.net.key

run

a2enmod ssl
apache2ctl restart

mediawiki

edit LocalSettings.php. The line

$wgServer = "http://silvermag.net";

Should be changed to

$wgServer = "//silvermag.net";

Then it will work with http and https

wordpress

Install the stupid https plugin because it's easy and it works.