From silverwiki
Jump to: navigation, search

security notes


To remove old ssl versions, add to apache config:

SSLProtocol all -SSLv2  -SSLv3

Note on sha1/sha256

You NEED to include the -sha256 option in signing commands, or ssl will use insecure sha1 by default. Maybe libressl is smarter?

Make a root CA cert


openssl genrsa -out rootCA.key 4096 -aes-256-cbc
openssl req -x509 -new -nodes -key rootCA.key -days 10240 -out rootCA.pem

hack your openssl.cnf to allow SANs (subject alternative names)


cp /etc/ssl/openssl.cnf .

Edit the local file with the following changes:

# diff -c /etc/ssl/openssl.cnf /home/silver/ssl/openssl.cnf
*** /etc/ssl/openssl.cnf        2014-08-06 11:50:53.000000000 -0700
--- /home/silver/ssl/openssl.cnf        2015-03-11 13:18:51.026440687 -0700
*** 107,112 ****
--- 107,113 ----
  default_keyfile       = privkey.pem
  distinguished_name    = req_distinguished_name
  attributes            = req_attributes
+ req_extensions = v3_req
  x509_extensions       = v3_ca # The extentions to add to the self signed cert

  # Passwords for private keys if not present they will be prompted for
*** 220,225 ****
--- 221,231 ----

  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+ subjectAltName = @alt_names
+ [alt_names]
+ DNS.1 =
+ DNS.2 =

  [ v3_ca ]

Make a new cert signed by CA and using haxored conf for www. and root domain

Make a key and CSR

openssl genrsa -out myserver.key 4096 -aes-256-cbc
openssl req -new -key myserver.key -out -config openssl.cnf -sha256

Check it:

openssl req -text -noout -in myserver.csr

Sign the CSR with the CA pem file and key

openssl x509 -req -days 365 -in myserver.csr -CA ca/rootCA.pem -CAkey ca/rootCA.key -CAcreateserial -out -extensions v3_req -extfile openssl.cnf -sha256

Check it:

openssl x509 -text -noout -in

Mmm... that's nice.

        X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:


Copy your existing site configuration. Change the virtual host listen port to 443, and add the following lines:

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/
        SSLCertificateKeyFile /etc/apache2/ssl/


a2enmod ssl
apache2ctl restart


edit LocalSettings.php. The line

$wgServer = "";

Should be changed to

$wgServer = "//";

Then it will work with http and https


Install the stupid https plugin because it's easy and it works.