VirtualMin, SSL Perfect Forward Secrecy and StartSSL

I’ve recently been setting this website up to use SSL. To do so I used a couple of great guides and tools on the internet. I got my SSL certificate for free from StartSSL. I found the guide by Eric Mill invaluable to working through the relatively poor UI that StartSSL has to gain the free certificate.

To check the state of your SSL certificate you can the SSL Test Tool from Qualys SSL Labs.

To start with I received a C grade. I had two things to remedy:

  1. I had SSL3 enabled which is vulnerable to an attack called POODLE
  2. I did not have Perfect Forward Secrecy enabled, which prevents back decryption of previous conversations even when an attacker gains access to your private key (which happened with Heartbleed).

To remedy both these elements I needed to set Apache to use the correct SSL Protocols and the correct ciphers. More specifically I had to prioritise the ciphers that I prefered clients to use. I specifying the more secure ciphers first, clients that support it, will use Forward Secrecy as a priority.

Using Webmin you can go to Servers -> Apache Webserver -> Global Configuration -> Edit Config files

Comment out the existing SSL config. Change to the following:

[code]SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

I got this from Configuring Apache, Nginx, and OpenSSL for Forward Secrecy. See the Apache section.

If you want to install your SSL certificate in VirtualMin, you need to select your virtual server, then go to Server Configuration -> Manage SSL Certificate.

By default VirtualMin will have install a self-signed certificate, which sadly could be MITMed, which is why we are using the certificate from StartSSL, since they as a Certificate Authority have verified who I am (in the loosest sense of the word, by validating they can send an email to the domain for which I am trying to request a certificate for). More expensive certificates require you to prove your actual identity. More more expensive certificates allow you to have one certificate for multiple subdomains . The whole thing is a racket but I digress.

Luckily a new EFF backed program is coming called Let’s Encrypt, which will issue free certificates and they will be easy to install. This guide will become obsolete (is the hope).

Back to VirtualMin we need to install the certificate that StartSSL has provided us. You need to upload the signed certificate and the private key you used, but you need it in a PEM format. To do that you can use the following command:

openssl rsa -in -outform PEM -out

You can now upload that via VirtualMin. Now you also need to rest of the certificate chain. You want to get the SHA-2 version since SHA-1 is vulnerable. You can download the Class1 StartSSL PEM file directly from StartSSL.

Now go to the CA Certificate tab and upload that file. Once uploaded you should see the following:

Certificate authority name StartCom Class 1 Primary Intermediate Server CA
Organization StartCom Ltd.
Issuer name StartCom Certification Authority
Issuer organization StartCom Ltd.
Expiry date Oct 24 20:54:17 2017 GMT
Certificate type Self-signed

If you don’t take the SHA-2 certificate then you’ll be downgraded. Google will also be downgrading sites that use SHA-1 based on this too in the future so it is worth getting right now.

To check your SHA configuration, you can use the wonderful

Once you have completed this guide, you should get an A grade on the SSL Labs page.


The First Few Milliseconds of an HTTPS Connection

In the 220 milliseconds that flew by, a lot of interesting stuff happened to make Firefox change the address bar color and put a lock in the lower right corner. With the help of Wireshark, my favorite network tool, and a slightly modified debug build of Firefox, we can see exactly whats going on.

via Moserware: The First Few Milliseconds of an HTTPS Connection.

Whether they’re on a long flight, riding through a subway tunnel, or camping in a national park, sometimes it’s just not possible for users to get a network connection. But that doesn’t mean they should be without their favorite mobile apps. So how can you save that latest page number when reading offline? Or remember the latest achievement unlocked in a game?