SSL TLS

SSL is an protocol used on the port 443 for HTTPS connections. Typically this would be used by financial websites and online e-commerce shops. You can also use it for your personal website, this is normally represented by the padlock icon on most websites or by simply displaying https://mysuperweb.co.uk rather than http://mysuperweb.co.uk.

The first thing we need to do is to choose an certificate issuer. There are many SSL providers and they come at different prices. Some certificates are quiet basic whilst others offer the green URL bar for trusted websites as they have gone through extended validation. In my case I have chosen a free SSL provider.

Most providers will go though an basic domain ownership validation by sending an email to postmaster@mysuperweb.co.uk where there will be an unique code for verification purposes. After your domain has been verified, we would start the process of obtaining our certificate.

During the process you will be asked to provide a password to decrypt your ssl.key as this is issued an encrypted form, in essence this is also your private.key.

In addition to this, you will be requested to add an sub-domain to be authorised for the SSL certificate. By default mysuperweb.co.uk has been authorised already, however we will also add www.mysuperweb.co.uk as www is considered as a subdomain of mysuperweb.co.uk.

At this stage will be issued your certificate as ssl.crt this will be with your ssl.key which is the encrypted version of private.key

You will also need to download Root CA (PEM Encoded) which will be ca.pem and Class 1 Intermediate Server CA which will be saved as sub.class1.server.sha2.ca.pem. Now we have everything we need to proceed to configure our website with SSL.

We would first look to decrypt ssl.key this can be done with the following command:

openssl rsa -in ssl.key -out private.key
Enter pass phrase for ssl.key: *********************
writing RSA key

This will provide the output of private.key. This is the decrypted form of ssl.key

We would now look to upload these files to our server. To keep things organised we will keep this in a folder at /etc/apache2/ssl
-rw-r–r– 1 root root 2760 Aug 31 17:29 ca.pem
-rw-r–r– 1 root root 1679 Aug 31 17:29 private.key
-rw-r–r– 1 root root 2248 Aug 31 17:29 ssl.crt
-rw-r–r– 1 root root 1766 Aug 31 17:29 ssl.key
-rw-r–r– 1 root root 2212 Aug 31 17:29 sub.class1.server.sha2.ca.pem

Now that we have our certificates in the right places, we need to tell our web server to make use of them, this is managed by /etc/apache2/sites-available/000-default.conf, inside this file will be contents similar to:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
        </VirtualHost>

We would look to copy this and paste it at the bottom so within the file this content is displayed twice, however on the second version we will make some changes in bold.

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
        </VirtualHost>

      <VirtualHost *:443>   
      SSLEngine on                                                                
      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
      SSLCompression off
      SSLHonorCipherOrder on
    
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!RC4

      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    SSLCertificateFile /etc/apache2/ssl/ssl.crt                           
    SSLCertificateKeyFile /etc/apache2/ssl/private.key                        
    SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.sha2.ca.pem

	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
       </VirtualHost>

At the end of all this, we have got everything ready. The last step is to restart the web server for the changes to take affect. This is completed with:

service apache2 restart 
[ ok ] Restarting web server: apache2 ... waiting

This will provide your website with both HTTPS and HTTP connections, as we now have an SSL certificate for our website, we would look to enable this everywhere by forcing SSL to be active for all aspects. We can edit our .htaccess file for this:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://mysuperweb.co.uk/$1

Now all connections to our website will be completed via HTTPS:

ssl_browser

If your website shows This web site does not supply ownership information. or the following image below, it means your website is mixing both HTTPS and HTTP.

connection_partially_encrypted

The way to resolve this is to set your images on the website to the HTTPS path. Where by

<img src=http://www.mysuperweb.co.uk />

will become

<img src=https://www.mysuperweb.co.uk />

HTTP Strict Transport Security (HSTS)

When your trying to enable HSTS to your website, you may come across this error when you restart apache. This error is due to the module header not being enabled within apache itself.

Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
 failed!

You can enable the module with the following command and then restarting apache2. sudo a2enmod headers sudo service apache2 restart [ ok ] Restarting web server: apache2 ... waiting .

Mozilla SSL Generator

For other web server configuration you can use the Mozilla SSL tool.

https://mozilla.github.io/server-side-tls/ssl-config-generator/