Webサーバ勉強会#2 20101210

3,514 views
3,436 views

Published on

第2回 Webサーバ勉強会 SSL/TLS の資料です。

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,514
On SlideShare
0
From Embeds
0
Number of Embeds
621
Actions
Shares
0
Downloads
33
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Webサーバ勉強会#2 20101210

    1. 1. Web #2 SSL/TLS 10 Dec 2010 @shin3 1
    2. 2. @shin3• Technical Editor & Writer (ASCII)• Web Application Engineer (Perl, PHP, Java, Scala)• Search Engine Engineer (Fast ESP, Lucene)• Linux Engineer (Xen, DRDB, HeartBeat)• iPhone Application Engineer (RainbowApps)• Social Application (Lead-Japan)• http://www.linkedin.com/in/shin3 2
    3. 3. • SSL/TLS• Apache httpd SSL 3
    4. 4. SSL/TLS• , , • , ,• SSL (Secure Socket Layer) • Netscape Communications• TLS (Transport Layer Security) • IETF (Internet Engineering Task Force) • SSL 3.0 4
    5. 5. Protocol Stack HTTP, FTP, SMTP, POP3, ...Application Handshake SSL/TLS Record Transport TCP, UDP Internet IP, ARP, ICMP Link Ethernet, Wi-Fi, PPP, SLIP, ... 5
    6. 6. SSL/TLS• •• •• • 6
    7. 7. SSLClient Server 7
    8. 8. SSL HandshakeClient Server Client He&o Server He&o Certificate Server He&o Done Client Key Exchange Change Cipher Spec Finished Change Cipher Spec Finished 8
    9. 9. SSL Handshake (WireShark) 9
    10. 10. Client Hello 10
    11. 11. Client Hello• Opera 11 beta 11
    12. 12. Server Hello 12
    13. 13. Apache httpd SSL• • (CA: Certification Authority) •• mod_ssl • 13
    14. 14. •• CSR (Certificate Signing Request)• 14
    15. 15. •• 15
    16. 16. •• CSR• 16
    17. 17. IP• IP Alias• DNS 17
    18. 18. IP 18
    19. 19. • TLS/SNI (Server Name Indication) • ClientHello• Apache httpd 2.2.12 (OpenSSL 0.9.8f ) • CentOS 5.5 OpenSSL 0.9.8e →• • http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers • SNI 19
    20. 20. 20
    21. 21. Subject Alternative Name• x.509 v3 extensions (RFC 5280)• CA SANs• SANs 21
    22. 22. Wildcard• Using TLS with IMAP, POP3 and ACAP (RFC 2959)• HTTP over TLS (RFC 2818)• CSR CN *.fuga.com 22
    23. 23. Upgrading to TLS Within HTTP/1.1• RFC 2817 • HTTP TLS Upgrade• Apache httpd 2.1• SSLEngine optional• 23
    24. 24. • ssl.conf 24
    25. 25. SSL Session Cache• SSL SSL Handshake• CentOS 5.5 shmcb• VPS 25
    26. 26. SSL Session CacheClient Server Client He&o Server He&o Certificate Server He&o Done Client Key Exchange Change Cipher Spec Finished Change Cipher Spec Finished 26
    27. 27. SSL Session Cache• SSLSessionCache • shmcb = shared memory cyclic buffer → O(1) • shmht = shared memory hash table → O(1) • dbm = DataBase Management • dc = distcache • mc = memcached (2.3/2.4) 27
    28. 28. SSL Session Cache• SSLSessionTimeout• mod_status SSL/TLS Session Cache Status• 28
    29. 29. SSL Cipher Suite••••• Cipher Suite 29
    30. 30. SSL Cipher Suite• SSLCipherSuite • Cipher Suite • openssl ciphers 30
    31. 31. SSL Cipher Suite• :→• -A →• !A → ( )• A+B → AND• +A → 31
    32. 32. SSL Cipher Suite• #
openssl
ciphers
‐v
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW DHE‐RSA‐AES256‐SHA





SSLv3
Kx=DH






Au=RSA

Enc=AES(256)

Mac=SHA1 DHE‐DSS‐AES256‐SHA





SSLv3
Kx=DH






Au=DSS

Enc=AES(256)

Mac=SHA1 AES256‐SHA













SSLv3
Kx=RSA





Au=RSA

Enc=AES(256)

Mac=SHA1 DHE‐RSA‐AES128‐SHA





SSLv3
Kx=DH






Au=RSA

Enc=AES(128)

Mac=SHA1 DHE‐DSS‐AES128‐SHA





SSLv3
Kx=DH






Au=DSS

Enc=AES(128)

Mac=SHA1 AES128‐SHA













SSLv3
Kx=RSA





Au=RSA

Enc=AES(128)

Mac=SHA1 KRB5‐DES‐CBC3‐MD5






SSLv3
Kx=KRB5




Au=KRB5
Enc=3DES(168)
Mac=MD5
 KRB5‐DES‐CBC3‐SHA






SSLv3
Kx=KRB5




Au=KRB5
Enc=3DES(168)
Mac=SHA1 EDH‐RSA‐DES‐CBC3‐SHA



SSLv3
Kx=DH






Au=RSA

Enc=3DES(168)
Mac=SHA1 EDH‐DSS‐DES‐CBC3‐SHA



SSLv3
Kx=DH






Au=DSS

Enc=3DES(168)
Mac=SHA1 DES‐CBC3‐SHA











SSLv3
Kx=RSA





Au=RSA

Enc=3DES(168)
Mac=SHA1 KRB5‐RC4‐MD5











SSLv3
Kx=KRB5




Au=KRB5
Enc=RC4(128)

Mac=MD5
 KRB5‐RC4‐SHA











SSLv3
Kx=KRB5




Au=KRB5
Enc=RC4(128)

Mac=SHA1 RC4‐SHA
















SSLv3
Kx=RSA





Au=RSA

Enc=RC4(128)

Mac=SHA1 RC4‐MD5
















SSLv3
Kx=RSA





Au=RSA

Enc=RC4(128)

Mac=MD5
 KRB5‐DES‐CBC‐MD5







SSLv3
Kx=KRB5




Au=KRB5
Enc=DES(56)


Mac=MD5
 KRB5‐DES‐CBC‐SHA







SSLv3
Kx=KRB5




Au=KRB5
Enc=DES(56)


Mac=SHA1 EDH‐RSA‐DES‐CBC‐SHA




SSLv3
Kx=DH






Au=RSA

Enc=DES(56)


Mac=SHA1 EDH‐DSS‐DES‐CBC‐SHA




SSLv3
Kx=DH






Au=DSS

Enc=DES(56)


Mac=SHA1 DES‐CBC‐SHA












SSLv3
Kx=RSA





Au=RSA

Enc=DES(56)


Mac=SHA1 32
    33. 33. SSL Cipher Suite• 56/64 bit Cipher Suite #
openssl
ciphers
‐v
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:‐LOW DHE‐RSA‐AES256‐SHA





SSLv3
Kx=DH






Au=RSA

Enc=AES(256)

Mac=SHA1 DHE‐DSS‐AES256‐SHA





SSLv3
Kx=DH






Au=DSS

Enc=AES(256)

Mac=SHA1 AES256‐SHA













SSLv3
Kx=RSA





Au=RSA

Enc=AES(256)

Mac=SHA1 DHE‐RSA‐AES128‐SHA





SSLv3
Kx=DH






Au=RSA

Enc=AES(128)

Mac=SHA1 DHE‐DSS‐AES128‐SHA





SSLv3
Kx=DH






Au=DSS

Enc=AES(128)

Mac=SHA1 AES128‐SHA













SSLv3
Kx=RSA





Au=RSA

Enc=AES(128)

Mac=SHA1 KRB5‐DES‐CBC3‐MD5






SSLv3
Kx=KRB5




Au=KRB5
Enc=3DES(168)
Mac=MD5
 KRB5‐DES‐CBC3‐SHA






SSLv3
Kx=KRB5




Au=KRB5
Enc=3DES(168)
Mac=SHA1 EDH‐RSA‐DES‐CBC3‐SHA



SSLv3
Kx=DH






Au=RSA

Enc=3DES(168)
Mac=SHA1 EDH‐DSS‐DES‐CBC3‐SHA



SSLv3
Kx=DH






Au=DSS

Enc=3DES(168)
Mac=SHA1 DES‐CBC3‐SHA











SSLv3
Kx=RSA





Au=RSA

Enc=3DES(168)
Mac=SHA1 KRB5‐RC4‐MD5











SSLv3
Kx=KRB5




Au=KRB5
Enc=RC4(128)

Mac=MD5
 KRB5‐RC4‐SHA











SSLv3
Kx=KRB5




Au=KRB5
Enc=RC4(128)

Mac=SHA1 RC4‐SHA
















SSLv3
Kx=RSA





Au=RSA

Enc=RC4(128)

Mac=SHA1 RC4‐MD5
















SSLv3
Kx=RSA





Au=RSA

Enc=RC4(128)

Mac=MD5
 33
    34. 34. SSL Cipher Suite• #
openssl
ciphers
‐v
AES:RC4:3DES:!EXP:!ADH:!SSLv2:@STRENGTH DHE‐RSA‐AES256‐SHA





SSLv3
Kx=DH






Au=RSA

Enc=AES(256)

Mac=SHA1 DHE‐DSS‐AES256‐SHA





SSLv3
Kx=DH






Au=DSS

Enc=AES(256)

Mac=SHA1 AES256‐SHA













SSLv3
Kx=RSA





Au=RSA

Enc=AES(256)

Mac=SHA1 KRB5‐DES‐CBC3‐MD5






SSLv3
Kx=KRB5




Au=KRB5
Enc=3DES(168)
Mac=MD5
 KRB5‐DES‐CBC3‐SHA






SSLv3
Kx=KRB5




Au=KRB5
Enc=3DES(168)
Mac=SHA1 EDH‐RSA‐DES‐CBC3‐SHA



SSLv3
Kx=DH






Au=RSA

Enc=3DES(168)
Mac=SHA1 EDH‐DSS‐DES‐CBC3‐SHA



SSLv3
Kx=DH






Au=DSS

Enc=3DES(168)
Mac=SHA1 DES‐CBC3‐SHA











SSLv3
Kx=RSA





Au=RSA

Enc=3DES(168)
Mac=SHA1 DHE‐RSA‐AES128‐SHA





SSLv3
Kx=DH






Au=RSA

Enc=AES(128)

Mac=SHA1 DHE‐DSS‐AES128‐SHA





SSLv3
Kx=DH






Au=DSS

Enc=AES(128)

Mac=SHA1 AES128‐SHA













SSLv3
Kx=RSA





Au=RSA

Enc=AES(128)

Mac=SHA1 KRB5‐RC4‐MD5











SSLv3
Kx=KRB5




Au=KRB5
Enc=RC4(128)

Mac=MD5
 KRB5‐RC4‐SHA











SSLv3
Kx=KRB5




Au=KRB5
Enc=RC4(128)

Mac=SHA1 RC4‐SHA
















SSLv3
Kx=RSA





Au=RSA

Enc=RC4(128)

Mac=SHA1 RC4‐MD5
















SSLv3
Kx=RSA





Au=RSA

Enc=RC4(128)

Mac=MD5
 34
    35. 35. SSL Cipher Suite• 2010 • 2011 • 2048 bit • 3TDES (3-key Triple DES) , AES 128 • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512) 35
    36. 36. • 36
    37. 37. •• 37
    38. 38. VPS• CPU (vCPU)•• SSL • • (UltraMonkey-L7 )• SSL Reverse Proxy (mod_proxy, Pound ) 38
    39. 39. LVM+NFS• VPS • 16 x 16 x 16 iowait 39
    40. 40. • IP• TLS/SNI Windows XP• Subject Alternative Name• Wildcard PC, SNI SANs Wildcard IP ○ Name × ○ 40
    41. 41. • CA 2048 bit• • Mobile Operator•• 41
    42. 42. • TLS 1.0: RFC 2246• TLS 1.1: RFC 4346• TLS 1.2: RFC 5246• Internet Protocol Suite: RFC 1122• Server Name Indication: RFC 4366• distcache: http://distcache.sf.net/• Upgrading to TLS Within HTTP/1.1: RFC 2817 42
    43. 43. • NTT : i • http://www.nttdocomo.co.jp/service/imode/make/content/ssl/spec/• au KDDI: EZfactory • http://www.au.kddi.com/ezfactory/tec/spec/ssl.html• Softbank Mobile: Mobile Creation • http://creation.mb.softbank.jp/web/web_ssl.html• Willcom: • http://www.willcom-inc.com/ja/service/contents_service/create/lineup/ 43
    44. 44. • TCP/IP SSL/TLS isbn: 4274065421 44

    ×