February 11, 2015

Testing and Debugging SSL Certificates

^ Ad space. I gotta pay the bills!

Learn how to test and debug SSL issues.We use SSLShopper to test our the SSL certificate and find issues. We found that there was an error with intermediate certificate authority chains.

The purchased certificate we received contained 4 files. One is the "root certificate" and the 3 others are intermediate certificates. The .crt file we use within our web server must be a file containing all 4 of these certificates, with the root certificate being the last in the file.

In the last video, we only copied the serversforhackers_com.zip file to /etc/ssl/sfh. This was the certificate used with the site.

We need to adjust this so we have one file that bundles (contains) all the certificate files we received:

cd /etc/fido/sfh-ssl
unzip serversforhackers_com.zip

# Concatenate the various crt files into one file
# Named certificate file *first* and
# root certificate *last*
cat serversforhackers_com.crt \
    COMODORSADomainValidationSecureServer.CA.crt \
    COMODORSAAddTrustCA.crt \
    AddTrustExternalCARoot.crt >
        sfh.crt

# Move the final certificate file to
# /etc/ssl directory
sudo mv sfh.crt /etc/ssl/sfh/sfh.crt

Make this sfh.crt file the one used within Nginx config by editing /etc/nginx/sites-available/sfh:

server {
    # Relavant portion of site config shown only:
    ssl on;
    ssl_certificate     /etc/ssl/sfh/sfh.crt
    ssl_certificate_key /etc/ssl/sfh/sfh.key
}

Test with a configtest and reload Nginx:

sudo service nginx configtest
sudo service nginx reload

If that works, retest your site with the SSLShopper tool or similar.

Resources

Here's the Nginx configuration I current use for most SSL-enabled sites, which is a little different than what's found in the video:

# No "www"
# Redirect non SSL traffic (port 80) to SSL (port 443)
server {
        listen 80;
        server_name serversforhackers.com www.serversforhackers.com;
        return 301 https://serversforhackers.com$request_uri;
}

server {
    # Port 443 only, and define that it
    # is to be used as an SSL location
    listen 443 ssl;

    # NOTE: Other usual Nginx config removed for brevity

    #
    # SSL related config:
    #
    ssl_certificate          /etc/ssl/sfh/sfh.crt;
    ssl_certificate_key      /etc/ssl/sfh/sfh.key;
    ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers              ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_prefer_server_ciphers  on;
    ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
    ssl_session_timeout  24h;
    # Use a higher keepalive timeout to reduce the need for repeated handshakes
    keepalive_timeout 300; # up from 75 secs default
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
}

Resources

All Topics