Joomla! and SSL

Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo

Joomla! & SSL


MyselfCo-founder of Yireo, loving both Joomla! as Magento

Developer of MageBridge, Dynamic404 (+ some more)

Author of Joomla! 1.5 templating book (2009, Dutch only)

Trainings for VMware ESX, HP-UX, Linux (<2007)

Trainings for Tibetan Government in Exile (TCRC)

Cycled from Holland to Spain (2012, 2500+ kms)

Favorite dish Ayam Percik (chicken in coconut-curry, Malay)


Joomla! & SSLPart I - Basics of SSL

Part II - Usage in Joomla!

Part III - Advanced topics

Slides: http://slideshare.net/yireo


Part IBasics of SSL


About HTTPS and SSLHTTPS = HTTP Secure

SSL = Secure Socket Layer

Most common implementation is OpenSSL


SSL and encryptionTwo types of encryption

Authentication of server (certificate)

Encryption of traffic (key-exchange)

Factors

Numbers of bits: 128, 256, 512, 1024, 2048

Ciphers: Diffie-Helman (cert), HMAC (TLS), SHA / MD5 (SSL)


Certificate Authorities (CA)Root CAs = Trusted by your browser

Intermediate CAs = Trusted by Root CAs (used in chain)

Your certificate = Trusted by the commercial CAs

Self-signed certificate = Trusted by no one by you


What do you need?SSL-certificate

CommonName (sometimes Chamber-of-Commerce check)

Is valid for 1 or multiple domainnames (wildcard)

Expires after a certain date

Vendors: GeoTrust, GlobalSign, Comodo, Thawte, TrustWave

Dedicated IP-address


Part IIUsage in Joomla!


Joomla! Global Configuration


What about partial SSL?Enforce HTTPS on those pages needed

Enforce non-HTTPS (HTTP) on all other pages

Slight performance gain

Secure pages

Shop (VirtueMart, MageBridge, HikaShop, Tienda)

Contact-form

Forum-pages


Yireo SSLRedirect plugin


SSL in your codeUsing the // protocol-prefix

//domain/path/ (instead of https://domain/path/)

Simply use Joomla! calls

JHTML::stylesheet() / JHTML::script()

$document = JFactory::getDocument()

JRoute::_()


Part IIIAdvanced Topics


Getting an official SSL-cert

Generate a private SSL-key + CSR

Use CSR to purchase a new SSL-certificate

Install the new SSL-certificate in your webserver

SSL-key

SSL-certificate

SSL Root CA certificate

SSL chain-certificate (optional) for intermediate CAs


Getting a self-signed SSL-cert

Generate a private SSL-key and a self-signed SSL-certificate

Install the new SSL-certificate in your webserver

SSL-key

SSL-certificate


Installing the SSL-cert

Apache

Nginx

Control panels

DirectAdmin

Plesk

CPanel


OpenSSL commands

Generate a private SSL-key + CSRopenssl req -out foobar.csr -pubkey -new -keyout foobar.key

Inspect a certificateopenssl x509 -inform pem -in foobar.crt -noout -text

Creating a self-signed certificateopenssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout foobar.key -out foobar.crt


Common Apache-directives

SSLEngine on

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt

SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-rootca.crt


Chain-workaroundTip: Instead of using seperate files, you can also copy all SSL-certificates to 1 single certificate-file:

Personal SSL-certificate

Intermediate SSL-certificate 1



Root SSL-certificate


Extended Validation (EV)

Validation of your company by CA

Registry in Chamber of Commerce

Check for financial behaviour (outstanding payments)

Check for legal problems


Is SSL actually safe?

Hacking of CA-servers

DNS hijacking

Decryption-attacks (SSLstrip, BREACH)


TLS: Multiple certs with 1 IPTLS Extension Server Name Indication (SNI)

Apache 2.2.12 >

OpenSSL 0.9.8j


About SPDY and HTTP 2.0SPDY

Developed by Google

Does not work without HTTPS (TLS)

Requires additional modules in webserver (Apache, Nginx)

HTTP 2.0

Using SPDY as starting point


thanks

Joomla! and SSL

Technology

Transcript of Joomla! and SSL