Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using...

Ubuntu/Apache2 SSL configuration Simple guidance, Estonian EID view

RIA EID Guidances https://www.ria.ee /19

Configuring two-way SSL using Estonian

EID smartcards in Ubuntu Apache2

webserver

Dokument information

Creation time 06.02.2019

Client RIA

Author Urmas Vanem, OctoX

Version 19.12/1

Version information

Date Version Changes/notes

06.02.2019 19.02/1 Public version.

20.02.2019 19.02/1 Added chapter additional configuration options: firewall and OCSP configuration, default website removal. Changed by Urmas Vanem.

12.12.2019 19.12/1 Added recommendations for securing Apache. Changed by Urmas Vanem.



Intro In this guide we describe:

• How to install and configure Apache2 (v. 2.4.29) webserver in Ubuntu 18.04!?

• How to configure one-way SSL in Apache2.

• How to configure two-way SSL using Estonian EID cards.

In addition, we configure HTTP -> HTTPS redirection.

Apache2 installation and configuration

Installation 1. Renew Ubuntu package data, in terminal run „sudo apt update“.

2. Install Apache2-e, in terminal run „sudo apt install apache2“.

Picture 1 - Apache2 installation

Configuration

Enabling SSL Enable SSL for Apache2, in terminal run „sudo a2enmod ssl“ and restart Apache2 service.



Picture 2 – Enable SSL and restart service

Certificate request Now we create certificate signing request and private key, in terminal run „openssl req -newkey

rsa:2048 -keyout OctoXPrivKey5.key -sha256 -subj "/CN=Ubuntu5.kaheksa.xi" -reqexts SAN -config

<(cat /etc/ssl/openssl.cnf <(printf

"[SAN]\nsubjectAltName=DNS:Ubuntu5.kaheksa.xi,DNS:Apache5.kaheksa.xi")) -out OctoX5.csr -

nodes”.

Picture 3 – generating private key and certificate signing request

Notes about variables with yellow background:

1. OctoXPrivKey5.key is certificate private key.

2. Octox5.csr is certificate service request.

3. Ubuntu5.kaheksa.xi is a subject name for certificate.

4. Apache5.kaheksa.xi and Ubuntu5.kaheksa.xi are certificate SAN DNS names. These names

must correspond to real website names1. And naturally the names must be resolvable in name

services.

Contents on certificate signing request file can be viewed by running „openssl req -in OctoX5.csr -

noout -text“ in terminal.

1 For example Google Chrome does not trust sites where at least one SAN DNS name is not equal to website DNS name.



Picture 4 – certificate signing request includes request for two SAN DNS names

Certificate signing request file OctoX5.csr should be sent to certificate signer (in our demo environment

it is just one test CA). As a response we get signed certificate in Base-64 encoded format that should

look like the following picture:



Picture 5 – signed certificate in text redactor

In Ubuntu the certificate looks like the following picture:

Picture 6 – certificate in Ubuntu

The certificate also includes alternative SAN DNS names:



Picture 7 - SAN DNS names

As we can see, the certificate issuer is a CA named „OctoX Root CA“. Now we need “OctoX Root CA”

certificate in Base-64 encoded format to add it to out Ubuntu/Apache2 solution as a trusted certificate.

In our example OctoX_RCA.pem is already copied to user home folder and we copy it from here to

folder /etc/ssl/certs/. In terminal run „cp OctoX_RCA.pem /etc/ssl/certs/OctoX_RCA.pem“.

Picture 8 – copying RCA certificate to certificates container

In addition, we must correctly install signed certificate and private key. Signed certificate must be in

folder /etc/ssl/certs, private key must be in folder /etc/ssl/private.

Picture 9 – installing signed certificate and private key

Now we have correctly installed all certificates and private key needed by Apache2 for one-way SSL.

Creating virtual website For SSL configuration demonstration we create separate virtual website. At first, we create home

folder for our website /var/www/Apache5.

Picture 10 – creating website home folder

Then, for testing purposes, we put a simple webpage named index.html in the folder. In our example

file /var/www/html/index.html is copied to our new folder. Then minor modifications are made in its’

heading or title to understand later it is our website.

Then we prepare virtual site configuration file, in terminal run „sudo nano /etc/apache2/sites-

available/Apache1.conf“.



Picture 11 – creating new virtual website configuration file

Now we paste the following configuration in it:

# Beginning of file

<Virtualhost Apache5.kaheksa.xi:80>

# HTTP -> HTTPS redirection

Servername Apache5.kaheksa.xi

redirect / https://Apache5.kaheksa.xi

</Virtualhost>

<VirtualHost Apache5.kaheksa.xi:443>

# General info

ServerName Apache5.kaheksa.xi:443

ServerAdmin [email protected]

DocumentRoot /var/www/Apache5

# SSL configuration

SSLEngine on

SSLCertificateFile /etc/ssl/certs/OctoX5.pem

SSLCertificateKeyFile /etc/ssl/private/OctoXPrivKey5.key

SSLCertificateChainFile /etc/ssl/certs/OctoX_RCA.pem

# Error collection configuration

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</Virtualhost>

# End of file

The new configuration should be activated by running „sudo a2ensite Apache1.conf“ in terminal. Then

restart Apache2 service. If necessary, restart Ubuntu.



Picture 12 – activating new virtual website and restarting Apache2

Now we configured our new website to use one-way SSL and all HTTP requests to our site are

redirected to HTTPS.

Picture 13 - Apache web server is working and using one-way SSL!

Note. There can be many similar virtual websites with different names in same Apache2 server with

single IP address.

Requiring two-way SSL If we want to require strong Estonian EID client certificate-based authentication, we must update our

configuration by adding following lines to our site configuration file Apache5.conf:

• SSLVerifyClient require

• SSLVerifyDepth 2

• SSLCACertificateFile /etc/ssl/certs/EID_Bundle.pem



Picture 14 – updated configuration file, SSL section

Now we create new text file named EID_Bundle.pem, which includes all active Estonian EID root- and

intermediate certificates (EE-GovCA2018, ESTEID2018, EE Certification Centre Root CA, ESTEID-SK

2015) in Base-64 encrypted format. With this file we can filter out all client certificates supported by

Apache2 web services (in other words, on client side only these client certificates are available, which

are issued by CA-s/chains listed in our file). File contents in text redactor should look like following text

block:

-----BEGIN CERTIFICATE-----

MIIE+DCCBFmgAwIBAgIQMLOwlXoR0oFbj52nmRsnezAKBggqhkjOPQQDBDBaMQsw

CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh

DA5OVFJFRS0xMDc0NzAxMzEVMBMGA1UEAwwMRUUtR292Q0EyMDE4MB4XDTE4MDkw

NTA5MTEwM1oXDTMzMDkwNTA5MTEwM1owWjELMAkGA1UEBhMCRUUxGzAZBgNVBAoM

ElNLIElEIFNvbHV0aW9ucyBBUzEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFTAT

BgNVBAMMDEVFLUdvdkNBMjAxODCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAMcb

/dmAcVo/b2azEPS6CfW7fEA2KuHKC53D7ShVNvLz4QUjCdTXjds/4u99jUoYEQec

luVVzMlgEJR1nkN2eOrLAZYxPjwG5HiI1iZEyW9QKVdeEgyvhzWWTNHGjV3HdZRv

7L9o4533PtJAyqJq9OTs6mjsqwFXjH49bfZ6CGmzUJsHo4ICvDCCArgwEgYDVR0T

AQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwNAYDVR0lAQH/BCowKAYIKwYB

BQUHAwkGCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwEwHQYDVR0OBBYEFH4p

Vuc0knhOd+FvLjMqmHHB/TSfMB8GA1UdIwQYMBaAFH4pVuc0knhOd+FvLjMqmHHB

/TSfMIICAAYDVR0gBIIB9zCCAfMwCAYGBACPegECMAkGBwQAi+xAAQIwMgYLKwYB

BAGDkSEBAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMA0G

CysGAQQBg5EhAQECMA0GCysGAQQBg5F/AQEBMA0GCysGAQQBg5EhAQEFMA0GCysG

AQQBg5EhAQEGMA0GCysGAQQBg5EhAQEHMA0GCysGAQQBg5EhAQEDMA0GCysGAQQB

g5EhAQEEMA0GCysGAQQBg5EhAQEIMA0GCysGAQQBg5EhAQEJMA0GCysGAQQBg5Eh

AQEKMA0GCysGAQQBg5EhAQELMA0GCysGAQQBg5EhAQEMMA0GCysGAQQBg5EhAQEN



MA0GCysGAQQBg5EhAQEOMA0GCysGAQQBg5EhAQEPMA0GCysGAQQBg5EhAQEQMA0G

CysGAQQBg5EhAQERMA0GCysGAQQBg5EhAQESMA0GCysGAQQBg5EhAQETMA0GCysG

AQQBg5EhAQEUMA0GCysGAQQBg5F/AQECMA0GCysGAQQBg5F/AQEDMA0GCysGAQQB

g5F/AQEEMA0GCysGAQQBg5F/AQEFMA0GCysGAQQBg5F/AQEGMDEGCisGAQQBg5Eh

CgEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMBgGCCsGAQUF

BwEDBAwwCjAIBgYEAI5GAQEwCgYIKoZIzj0EAwQDgYwAMIGIAkIBk698EqetY9Tt

6HwO50CfzdIIjKmlfCI34xKdU7J+wz1tNVu2tHJwEhdsH0e92i969sRDp1RNPlVh

4XFJzI3oQFQCQgGVxmcuVnsy7NUscDZ0erwovmbFOsNxELCANxNSWx5xMqzEIhV8

46opxu10UFDIBBPzkbBenL4h+g/WU7lG78fIhA==

-----END CERTIFICATE-----


MIIFVzCCBLigAwIBAgIQdUf6rBR0S4tbo2bU/mZV7TAKBggqhkjOPQQDBDBaMQsw

CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh

DA5OVFJFRS0xMDc0NzAxMzEVMBMGA1UEAwwMRUUtR292Q0EyMDE4MB4XDTE4MDky

MDA5MjIyOFoXDTMzMDkwNTA5MTEwM1owWDELMAkGA1UEBhMCRUUxGzAZBgNVBAoM

ElNLIElEIFNvbHV0aW9ucyBBUzEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxEzAR

BgNVBAMMCkVTVEVJRDIwMTgwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAHHOBlv

7UrRPYP1yHhOb7RA/YBDbtgynSVMqYdxnFrKHUXh6tFkghvHuA1k2DSom1hE5kqh

B5VspDembwWDJBOQWQGOI/0t3EtccLYjeM7F9xOPdzUbZaIbpNRHpQgVBpFX0xpL

TgW27MpIMhU8DHBWFpeAaNX3eUpD4gC5cvhsK0RFEqOCAx0wggMZMB8GA1UdIwQY

MBaAFH4pVuc0knhOd+FvLjMqmHHB/TSfMB0GA1UdDgQWBBTZrHDbX36+lPig5L5H

otA0rZoqEjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADCCAc0G

A1UdIASCAcQwggHAMAgGBgQAj3oBAjAJBgcEAIvsQAECMDIGCysGAQQBg5EhAQEB

MCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzANBgsrBgEEAYOR

IQEBAjANBgsrBgEEAYORfwEBATANBgsrBgEEAYORIQEBBTANBgsrBgEEAYORIQEB

BjANBgsrBgEEAYORIQEBBzANBgsrBgEEAYORIQEBAzANBgsrBgEEAYORIQEBBDAN

BgsrBgEEAYORIQEBCDANBgsrBgEEAYORIQEBCTANBgsrBgEEAYORIQEBCjANBgsr



BgEEAYORIQEBCzANBgsrBgEEAYORIQEBDDANBgsrBgEEAYORIQEBDTANBgsrBgEE

AYORIQEBDjANBgsrBgEEAYORIQEBDzANBgsrBgEEAYORIQEBEDANBgsrBgEEAYOR

IQEBETANBgsrBgEEAYORIQEBEjANBgsrBgEEAYORIQEBEzANBgsrBgEEAYORIQEB

FDANBgsrBgEEAYORfwEBAjANBgsrBgEEAYORfwEBAzANBgsrBgEEAYORfwEBBDAN

BgsrBgEEAYORfwEBBTANBgsrBgEEAYORfwEBBjAqBgNVHSUBAf8EIDAeBggrBgEF

BQcDCQYIKwYBBQUHAwIGCCsGAQUFBwMEMGoGCCsGAQUFBwEBBF4wXDApBggrBgEF

BQcwAYYdaHR0cDovL2FpYS5zay5lZS9lZS1nb3ZjYTIwMTgwLwYIKwYBBQUHMAKG

I2h0dHA6Ly9jLnNrLmVlL0VFLUdvdkNBMjAxOC5kZXIuY3J0MBgGCCsGAQUFBwED

BAwwCjAIBgYEAI5GAQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL2Muc2suZWUv

RUUtR292Q0EyMDE4LmNybDAKBggqhkjOPQQDBAOBjAAwgYgCQgDeuUY4HczUbFKS

002HZ88gclgYdztHqglENyTMtXE6dMBRnCbgUmhBCAA0mJSHbyFJ8W9ikLiSyurm

kJM0hDE9KgJCASOqA405Ia5nKjTJPNsHQlMi7KZsIcTHOoBccx+54N8ZX1MgBozJ

mT59rZY/2/OeE163BAwD0UdUQAnMPP6+W3Vd



MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1

MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1

czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG

CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy

MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl

ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS

b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB

AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy

euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO

bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw

WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d

MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE



1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD

VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/

zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB

BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF

BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV

v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG

E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u

uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW

iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v

GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=



MIIGcDCCBVigAwIBAgIQRUgJC4ec7yFWcqzT3mwbWzANBgkqhkiG9w0BAQwFADB1

MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1

czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG

CSqGSIb3DQEJARYJcGtpQHNrLmVlMCAXDTE1MTIxNzEyMzg0M1oYDzIwMzAxMjE3

MjM1OTU5WjBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVy

aW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVT

VEVJRC1TSyAyMDE1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oH6

1NDxbdW9k8nLA1qGaL4B7vydod2Ewp/STBZB3wEtIJCLdkpEsS8pXfFiRqwDVsgG

Gbu+Q99trlb5LI7yi7rIkRov5NftBdSNPSU5rAhYPQhvZZQgOwRaHa5Ey+BaLJHm

LqYQS9hQvQsCYyws+xVvNFUpK0pGD64iycqdMuBl/nWq3fLuZppwBh0VFltm4nhr

/1S0R9TRJpqFUGbGr4OK/DwebQ5PjhdS40gCUNwmC7fPQ4vIH+x+TCk2aG+u3MoA

z0IrpVWqiwzG/vxreuPPAkgXeFCeYf6fXLsGz4WivsZFbph2pMjELu6sltlBXfAG

3fGv43t91VXicyzR/eT5dsB+zFsW1sHV+1ONPr+qzgDxCH2cmuqoZNfIIq+buob3

eA8ee+XpJKJQr+1qGrmhggjvAhc7m6cU4x/QfxwRYhIVNhJf+sKVThkQhbJ9XxuK

k3c18wymwL1mpDD0PIGJqlssMeiuJ4IzagFbgESGNDUd4icm0hQT8CmQeUm1GbWe



BYseqPhMQX97QFBLXJLVy2SCyoAz7Bq1qA43++EcibN+yBc1nQs2Zoq8ck9MK0bC

xDMeUkQUz6VeQGp69ImOQrsw46qTz0mtdQrMSbnkXCuLan5dPm284J9HmaqiYi6j

6KLcZ2NkUnDQFesBVlMEm+fHa2iR6lnAFYZ06UECAwEAAaOCAgowggIGMB8GA1Ud

IwQYMBaAFBLyWj7qVhy/zQas8fElyalL1BSZMB0GA1UdDgQWBBSzq4i8mdVipIUq

CM20HXI7g3JHUTAOBgNVHQ8BAf8EBAMCAQYwdwYDVR0gBHAwbjAIBgYEAI96AQIw

CQYHBACL7EABAjAwBgkrBgEEAc4fAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93

d3cuc2suZWUvQ1BTMAsGCSsGAQQBzh8BAjALBgkrBgEEAc4fAQMwCwYJKwYBBAHO

HwEEMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYDVR0eBDowOKE2MASCAiIiMAqHCAAA

AAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCcGA1Ud

JQQgMB4GCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwQwfAYIKwYBBQUHAQEE

cDBuMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcC5zay5lZS9DQTBKBggrBgEFBQcw

AoY+aHR0cDovL3d3dy5zay5lZS9jZXJ0cy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRy

ZV9Sb290X0NBLmRlci5jcnQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3d3dy5z

ay5lZS9yZXBvc2l0b3J5L2NybHMvZWVjY3JjYS5jcmwwDQYJKoZIhvcNAQEMBQAD

ggEBAHRWDGI3P00r2sOnlvLHKk9eE7X93eT+4e5TeaQsOpE5zQRUTtshxN8Bnx2T

oQ9rgi18q+MwXm2f0mrGakYYG0bix7ZgDQvCMD/kuRYmwLGdfsTXwh8KuL6uSHF+

U/ZTss6qG7mxCHG9YvebkN5Yj/rYRvZ9/uJ9rieByxw4wo7b19p22PXkAkXP5y3+

qK/Oet98lqwI97kJhiS2zxFYRk+dXbazmoVHnozYKmsZaSUvoYNNH19tpS7BLdsg

i9KpbvQLb5ywIMq9ut3+b2Xvzq8yzmHMFtLIJ6Afu1jJpqD82BUAFcvi5vhnP8M7

b974R18WCOpgNQvXDI+2/8ZINeU=


Copy file EID_Bundle.pem to folder etc/ssl/certs and restart Apache2 webserver, in terminal run

„systemctl reload apache2“.

After accessing website Apache5.kaheksa.xi or Ubuntu5.kaheksa.xi now, client certificate is required.



Picture 15 – client certificate request

After confirming the certificate and entering PIN we can access the website! Two-way SSL works. Good

luck!

Additional configuration options The purpose of this document is not to give exact guidance’s how to optimize or protect websites. The

main purpose is to show how is possible to configure two-way SSL and use Estonian EID cards for

authentication. However, in following section we pay attention on some options which can be useful.

Firewall rules, on demand By default, firewall is switched off on Ubuntu. But if it is on, we need to create some rules for accessing

websites on server. For Apache there are three options:

1. Apache - enables port 80

2. Apache Full – enables ports 80 and 443

3. Apache Secure – enables port 443

For creating firewall rule, run in terminal „sudo ufw allow ’RULE’“. For example enabling HTTPS traffic

only, run „sudo ufw allow ‘Apache Secure’”.

Picture 16 - Creating Apache https rules

If firewall is active running command „sudo ufw status“ in terminal shows us active rules.



Picture 17 – firewall is active and HTTPS is enabled

OCSP2 By default, configuration described above allows access to Apache2 website for all users with

certificates valid in action time. Certificate revocation status is no checked! If we want to check client

certificate revocation status using SK guaranteed OCSP service, we first need to make agreement with

them (SK). After agreement SK allows client access to guaranteed OCSP service (with address

http://ocsp.sk.ee) based on client IP address or certificate.

After getting access to the service, we must add following lines to our Apache2 virtual site SSL

configuration section:

• SSLOCSPEnable on # – enable OCSP revocation check for client certificates.

• SSLOCSPDefaultResponder http://ocsp.sk.ee # - determine OCSP service location.

• SSLOCSPOverrideResponder on # - use defined OCSP responder even if OCSP responder is

determined in client certificate.

• SSLOCSPResponderCertificateFile /etc/ssl/certs/EID_OCSP.pem – define OCSP signing

certificate in Base-64 encoded format. Today (20.02.2019) the certificate is SK OCSP

RESPONDER 2011.3

Now our SSL configuration looks like following picture:

Picture 18 - OCSP part is added to SSL configuration section

2 Client certificate revocation check is also doable with configuring certificate revocation lists (CRL). In this document we do not deal with this because we think configuring OCSP is more reasonable. 3 Instead of defining OCSP signing certificate and check it in authentication process we can skip the check by using line „SSLOCSPNoverify on“ in our Apache2 configuration. In this case client certificate only is checked against OCSP service. This configuration is not recommended for production environments.

http://ocsp.sk.ee/

https://www.sk.ee/upload/files/SK_OCSP_RESPONDER_2011.pem.cer




Now we have to download OCSP signing certificate SK OCSP RESPONDER 2011 and save it in Base-64

encoded format to folder /etc/ssl/certs/ as EID_OCSP.pem.

Reload Apache2 service with command „systemctl reload Apache2“ in terminal. Now all client

certificates are checked against SK guaranteed OCSP service in authentication phase.

OCSP-AIA In addition to guaranteed (payable) OCSP service, SK offers also similar AIA-OCSP service for free. AIA-

OCSP is basically simple OCSP service with lower availability demands and less functionality. AIA-OCSP

path is included in SK user certificates:

1) Certificates issued by ESTEID-SK 2015 CA: http://aia.sk.ee/esteid2015

2) Certificates issued by ESTEID2018 CA: http://aia.sk.ee/esteid2018

Picture 19 - ESTEID-SK 2015 AIA-OCSP path in certificate

To enable client certificate revocation check against AIA-OCSP service, we need to add following lines

to our Apache2 virtual website SSL configuration section:

• SSLOCSPEnable on # – enable OCSP revocation check for client certificates.

NB!: „SSLOCSPEnable Mode leaf“ available in httpd 2.4.34 and later.

• SSLOCSPUseRequestNonce off # - turn off OCSP service nonce requirement.




Picture 20 - AIA-OCSP configuration is added to SSL section

Reload Apache2 service with command „systemctl reload Apache2“ in terminal. Now all client

certificates are checked against SK AIA-OCSP service determined in certificate in authentication phase.

Default webpage removal After Apache2 installation we have also default website installed. To remove default website run

command „sudo a2dissite 000-default.conf“ in terminal.

Picture 21 – default website removal

Restart Apache2 service with command „systemctl reload Apache2“ in terminal to apply new

configuration.

Recommended security settings for Apache

SSL/TLS Apache version 2.4 is using all SSL/TLS protocols with version higher than SSL3 by default:

Picture 22 - Apache version and SSL/TLS default configuration

In our days there is probably no need to use SSL/TLS protocols with version lower than TLS 1.2

anymore. TLS 1.2 should be lowest version; it is widely used, very stable and old! But TLS 1.3 can also

be enabled to allow optimized and modern TLS traffic.

To configure Apache to support only TLS protocol versions 1.2 and 1.3, we must add following line to

Apache configuration file: „SSLPROTOCOL -all +TLSv1.2 +TLSv1.3“.



Picture 23 – enabling only TLS versions 1.2 and 1.3 in configuration file

If we want to make the change on server level, we must modify parameter SSLPROTOCOL in the file

/etc/apache2/mods-available/ssl.conf.

Cipher suites There are many different TLS 1.2 cipher suites available with Apache version 2.4.38.4 We can list

available cipher suites in Apache with command „openssl ciphers -v“.

By default, all cipher suites responding to following requirements are enabled:

1) HIGH – some ciphers with key length 128 bits and all stronger are enabled;

2) !aNULL – ciphers not supporting authentication are disabled.

Picture 24 – server-based configuration in file /etc/apache2/mods-available/ssl.conf

By default, this configuration can be good enough; it does not contain non-secure cipher suites. There

are some published cipher suites marked as WEAK, but probably we need some of those ciphers to

support older clients.

But if we want to configure cipher suites for any reason, we can use command line SSLCIPHERSUITE in

Apache configuration file. Here we can use predefined aliases or exact cipher suite descriptions.

It is impossible to give exact recommendation for configuring cipher suites because different

environments have different requirements. And requirements and possibilities are changing in time.

Only recommendation we can give here is to remove non-secure ciphers from list if any exists.

Examples:

• Using following command line in configuration file: ’SSLCIPHERSUITE „ECDHE-RSA-AES256-

GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256“’ – we allow only two safe cipher suites.

Some older clients may not be compatible with this configuration.

• Using following command line in configuration file:’SSLCIPHERSUITE "EECDH+ECDSA+AESGCM

EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5

!EXP !PSK !SRP !DSS !CAMELLIA256 !CAMELLIA128"’ – we create another configuration with

pretty limited set of ciphers suites, which probably supports most of clients.

4 We handle only TLS 1.2 ciphers in this chapter, because lower protocols should be disabled and everything is OK with TLS version 1.3 today.



Please do not take samples above as recommendation. It is just an example! Configure cipher suites

only when you are sure what you are doing. Goals can be: disabling non-secure cipher suites or

optimizing configuration by moving faster secure ciphers to the top of the list or any other.

You can also configure cipher suites on server level by modifying parameter SSLCIPHERSUITE in

file/etc/apache2/mods-available/ssl.conf.

More information about different options for configuring cipher suites can be found from article

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

SSLHONORCIPHERORDER Important parameter related to SSLCIPHERSUITE is also SSLHONORCIPHERORDER. If this parameter

has value ON, server list of cipher suites is always preferred! By default it is not defined and default

value is OFF.

Additional possibilities In addition to TLS and cipher suite configuration there are many other things we can do to secure our

server:

• Keep operating system up to date.

• Keep Apache up to date.

• Run Apache under non-root user rights.

• Disable presenting server information.

• Remove unnecessary modules.

• Disable HTTP requests.

• Add and configure Mod Security.

• Add and configure Mod Evasive.

• Disable directory listing.

• Enable logging.

• …

Please take the list above as short demo recommendations list. Of course, it makes sense to follow the

recommendations, but there can be much more you can do to secure your server:

https://www.google.com/search?q=how+to+secure+apache+server.

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

https://www.google.com/search?q=how+to+secure+apache+server

Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using...

Documents

Transcript of Configuring two-way SSL using Estonian EID …...Picture 13 - Apache web server is working and using...