tls-notes.md
Server config
Mozilla Operations Security (OpSec) team:
- Cipher suite: Modern compatibility
- General server config: Nginx
Generate new Ephemeral Diffie-Hellman (DHE) parameter
openssl dhparam 4096 -out dhparam.pem
These get generated for Postfix and Nginx. Weaker keys get rotated regularly (via cron).
From Strong SSL Security on nginx:
All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. Since we're using a 2048-bit certificate, DHE clients will use a weaker key-exchange than non-ephemeral DH clients.
Generate a new CSR
openssl req -nodes -newkey rsa:2048 -keyout site_dom.key -out site_dom.csr
Copy certs and keys
When adding multiple certs to a single file, the order is: local, intermediate, etc.
Example:
cat site_dom.crt intermediate.crt > /etc/ssl/certs/site_dom.pem
Test public/private key pair match
openssl x509 -noout -modulus -in public.crt | openssl sha256
openssl rsa -noout -modulus -in private.key | openssl sha256
Test a TLS connection
openssl s_client -connect example.org:993 </dev/null
Test an SNI TLS connection
openssl s_client -connect example.org:443 -servername sub.example.net </dev/null