Security/Certificate/TLS: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(11 intermediate revisions by the same user not shown)
Line 13: Line 13:


==Disable » TLSv1 » TLSv1.1==
==Disable » TLSv1 » TLSv1.1==
* [https://ssl-config.mozilla.org/ Security » Certificate » TLS » Configuration Generator]
==Enable » TLSv1.2 » TLSv1.3==
==Enable » TLSv1.2 » TLSv1.3==
===Enable » TLSv1.2 » TLSv1.3 » Nginx===
✅ '''Security » Certificate » TLS » cid.chorke.org'''
www.cdn77.com/tls-test/result?domain=cid.chorke.org
✅ '''Security » Certificate » TLS » auto.loanplus.io'''
www.cdn77.com/tls-test/result?domain=auto.loanplus.io
✅ '''Security » Certificate » TLS » apix.loanplus.io'''
www.cdn77.com/tls-test/result?domain=apix.loanplus.io
✅ '''Security » Certificate » TLS » ci.finology.group'''
www.cdn77.com/tls-test/result?domain=ci.finology.group
✅ '''Security » Certificate » TLS » id.finology.group'''
www.cdn77.com/tls-test/result?domain=id.finology.group
✅ '''Security » Certificate » TLS » n8n.finology.group'''
www.cdn77.com/tls-test/result?domain=n8n.finology.group
✅ '''Security » Certificate » TLS » mail.finology.group'''
www.cdn77.com/tls-test/result?domain=mail.finology.group
✅ '''Security » Certificate » TLS » minio.finology.group'''
www.cdn77.com/tls-test/result?domain=minio.finology.group
✅ '''Security » Certificate » TLS » files.minio.finology.group'''
www.cdn77.com/tls-test/result?domain=files.minio.finology.group
🟥 '''Security » Certificate » TLS » dev-files.loanstreet.com.my'''
www.cdn77.com/tls-test/result?domain=dev-files.loanstreet.com.my
 
==Enable » TLSv1.2 » TLSv1.3 » Nginx==
* [https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=intermediate&openssl=3.4.0&ocsp=false&guideline=5.7 Security » Certificate » TLS » Configuration Generator » Nginx]
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
Line 43: Line 76:
</syntaxhighlight>
</syntaxhighlight>


===Enable » TLSv1.2 » TLSv1.3 » Apache===
==Enable » TLSv1.2 » TLSv1.3 » Apache==
===Enable » TLSv1.2 » TLSv1.3 » HAProxy===
* [https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.4.0&ocsp=false&guideline=5.7 Security » Certificate » TLS » Configuration Generator » Apache]
 
==Enable » TLSv1.2 » TLSv1.3 » HAProxy==
* [https://ssl-config.mozilla.org/#server=haproxy&version=3.0&config=intermediate&openssl=3.4.0&guideline=5.7 Security » Certificate » TLS » Configuration Generator » HAProxy]
 
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
Line 60: Line 97:
CFG
CFG
</syntaxhighlight>
</syntaxhighlight>
==Enable » TLSv1.2 » TLSv1.3 » PostgreSQL==
* [https://ssl-config.mozilla.org/#server=postgresql&version=17.2&config=intermediate&openssl=3.4.0&guideline=5.7 Security » Certificate » TLS » Configuration Generator » PostgreSQL]
==Playground==
{|
| valign="top" |
<syntaxhighlight lang="bash">
openssl s_client -tls1  -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_1 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_2 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_3 -connect cid.chorke.org:443 </dev/null
</syntaxhighlight>
| valign="top" colspan="2" |
<syntaxhighlight lang="bash">
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.aa.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ab.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ac.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ad.shahed.shahed.biz &>/dev/null &
</syntaxhighlight>
|-
| colspan="3" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
</syntaxhighlight>
|}


==References==
==References==
{|
{|
|valign='top'|
|valign='top'|
* [[Apache Basic Authentication|Security » HTTP » Basic Authentication]]
* [[OpenLDAP/BackSQL|Security » OpenLDAP » BackSQL]]
* [[OpenLDAP/BackSQL|Security » OpenLDAP » BackSQL]]
* [[Java Key Store|Security » Java » Key Store]]
* [[Java Key Store|Security » Java » Key Store]]
Line 71: Line 145:
* [[Security/Password|Security » Password]]
* [[Security/Password|Security » Password]]
* [[ZA Proxy|Security » ZA Proxy]]
* [[ZA Proxy|Security » ZA Proxy]]
* [[Security/Domain|Security » Domain]]
* [[Spring Security|Security » Spring]]
* [[Spring Security|Security » Spring]]
* [[HTTP Security|Security » HTTP]]
* [[HTTP Security|Security » HTTP]]
Line 81: Line 156:
* [[SSH/Public Key Authentication|Security » SSH » Public Key Authentication]]
* [[SSH/Public Key Authentication|Security » SSH » Public Key Authentication]]
* [https://community.letsencrypt.org/t/how-to-enable-tls-1-3-in-nginx-configuration-solved/136337/9 Security » Certificate » TLSv1.3 » Nginx]
* [https://community.letsencrypt.org/t/how-to-enable-tls-1-3-in-nginx-configuration-solved/136337/9 Security » Certificate » TLSv1.3 » Nginx]
* [[Apache Basic Authentication|Security » HTTP » Basic Authentication]]
* [[Security/Container/Snyk|Security » Container » Snyk]]
* [[Security/Container/Trivy|Security » Container » Trivy]]
* [[Jasypt|Security » Jasypt]]


|valign='top'|
|valign='top'|

Latest revision as of 23:18, 7 July 2025

# TLSv1.3 supported:
# if haproxy -v >= 1.8.1  && openssl -v >= 1.1.1
# if apache2 -v >= 2.4.36 && openssl -v >= 1.1.1
# if nginx   -v >= 1.23.4 && openssl -v >= 1.1.1

openssl  version
openssl -v
haproxy -v
apache2 -v
nginx   -v

Disable » TLSv1 » TLSv1.1

Enable » TLSv1.2 » TLSv1.3

Security » Certificate » TLS » cid.chorke.org
www.cdn77.com/tls-test/result?domain=cid.chorke.org

✅ Security » Certificate » TLS » auto.loanplus.io
www.cdn77.com/tls-test/result?domain=auto.loanplus.io

✅ Security » Certificate » TLS » apix.loanplus.io
www.cdn77.com/tls-test/result?domain=apix.loanplus.io

✅ Security » Certificate » TLS » ci.finology.group
www.cdn77.com/tls-test/result?domain=ci.finology.group

✅ Security » Certificate » TLS » id.finology.group
www.cdn77.com/tls-test/result?domain=id.finology.group

✅ Security » Certificate » TLS » n8n.finology.group
www.cdn77.com/tls-test/result?domain=n8n.finology.group

✅ Security » Certificate » TLS » mail.finology.group
www.cdn77.com/tls-test/result?domain=mail.finology.group

✅ Security » Certificate » TLS » minio.finology.group
www.cdn77.com/tls-test/result?domain=minio.finology.group

✅ Security » Certificate » TLS » files.minio.finology.group
www.cdn77.com/tls-test/result?domain=files.minio.finology.group

🟥 Security » Certificate » TLS » dev-files.loanstreet.com.my
www.cdn77.com/tls-test/result?domain=dev-files.loanstreet.com.my

Enable » TLSv1.2 » TLSv1.3 » Nginx

curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
 | sudo tee /etc/nginx/dhparam.pem >/dev/null

cat << CFG | sudo tee /etc/nginx/sites-available/academia.chorke.org >/dev/null
server {
  listen 443 ssl;

  ssl on;
  server_name academia.chorke.org;
  ssl_certificate /etc/letsencrypt/live/academia.chorke.org/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/academia.chorke.org/privkey.pem;

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.3 TLSv1.2;
# ssl_dhparam /etc/nginx/dhparam.pem;
# ssl_ciphers "EECDH+AESGCM,EDH+AESGCM";
  ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";

# -- skipped --

  error_page 500 502 503 504 /500.html;
  client_max_body_size 25M;
  keepalive_timeout 10;
}
CFG

Enable » TLSv1.2 » TLSv1.3 » Apache

Enable » TLSv1.2 » TLSv1.3 » HAProxy

cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null

# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc

frontend           fnt_shahed_biz_ssl
   bind            *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
   mode            http

CFG

Enable » TLSv1.2 » TLSv1.3 » PostgreSQL

Playground

openssl s_client -tls1   -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_1 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_2 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_3 -connect cid.chorke.org:443 </dev/null

xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.aa.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ab.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ac.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ad.shahed.shahed.biz &>/dev/null &

References

Retrieved from "https://wiki.chorke.org/index.php?title=Security/Certificate/TLS&oldid=15240"