Cet article fait suite à un précédent tutoriel – installer la dernière version d’OpenSSL sous Debian.
Cela fait un petit moment que je voulais mettre à jour ma configuration TLS et je me suis dit que la Toussaint serait parfaite pour cela.
Aujourd’hui, le serveur passe donc à TLS 1.3, ce qui nécessite une mise à jour d’OpenSSL et la mise à jour des ciphers sous NginX.
Mise à jour d’OpenSSL
Je n’avais pas mis OpenSSL à jour depuis le dernier tuto donc il est aisé de connaitre sa version:
openssl version
Résultat :
OpenSSL v1.1.0f
Code language: CSS (css)
Un autre moyen de connaître les versions disponibles dans les repos:
dpkg -l '*openssl*' | awk '/^i/{print $2}' | xargs apt-show-versions -a
Code language: JavaScript (javascript)
Résultat:
openssl:amd64 1.1.0f-5 install ok installed
openssl:amd64 1.1.0f-3+deb9u2 stable debian.mirrors.ovh.net
openssl:amd64 1.1.0f-3+deb9u2 stable security.debian.org
openssl:amd64 1.1.0f-5 newer than version in archive
perl-openssl-defaults:amd64 3 install ok installed
perl-openssl-defaults:amd64 3 stable debian.mirrors.ovh.net
perl-openssl-defaults:amd64/stable 3 uptodate
python3-openssl:all 16.2.0-1 install ok installed
python3-openssl:all 16.2.0-1 stable debian.mirrors.ovh.net
python3-openssl:all/stable 16.2.0-1 uptodate
Pour obtenir la version 1.1.1 d’OpenSSL, qui est le sésame pour TLS 1.3, nous allons temporairement ajouter le repo sid
, mettre à jour OpenSSL et ses dérivés puis remettre apt
dans sa position stable.
On met à jour nos sources apt
:
nano /etc/apt/sources.list
Code language: PHP (php)
et on y ajoute sid
:
deb http://ftp.debian.org/debian sid main
deb-src http://ftp.debian.org/debian sid main
Code language: JavaScript (javascript)
On met à jour apt
:
apt update
Et on met à jour openssl
:
apt install openssl libssl1.1
Code language: CSS (css)
Résultat:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 libnih-dbus1 libnih1 libssl-dev locales
python-httplib2
apt-listchanges: News
---------------------
glibc (2.26-5) unstable; urgency=medium
Starting with version 2.26-1, the glibc requires a 3.2 or later Linux
kernel. If you use an older kernel, please upgrade it *before*
installing this glibc version. Failing to do so will end-up with the
following failure:
Preparing to unpack .../libc6_2.26-5_amd64.deb ...
ERROR: This version of the GNU libc requires kernel version
3.2 or later. Please upgrade your kernel before installing
glibc.
The decision to not support older kernels is a GNU libc upstream
decision.
Note: This obviously does not apply to non-Linux kernels.
-- Aurelien Jarno <aurel32@debian.org> Tue, 23 Jan 2018 22:03:12 +0100
openssl (1.1.1-2) unstable; urgency=medium
Following various security recommendations, the default minimum TLS version
has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
plan to do same around March 2020.
The default security level for TLS connections has also be increased from
Suggested packages:
glibc-doc
The following packages will be upgraded:
Setting up libc6-i386 (2.27-8) ...
Setting up python-httplib2 (0.11.3-1) ...
Processing triggers for libc-bin (2.27-8) ...
Setting up libssl1.1:amd64 (1.1.1-2) ...
locale: Cannot set LC_ALL to default locale: No such file or directory
Setting up libc-l10n (2.27-8) ...
Setting up openssl (1.1.1-2) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libc-dev-bin (2.27-8) ...
Setting up libc6-dev:amd64 (2.27-8) ...
Setting up locales (2.27-8) ...
Installing new version of config file /etc/locale.alias ...
Generating locales (this might take a while)...
en_GB.ISO-8859-1... done
en_GB.UTF-8... done
en_GB.ISO-8859-15... done
Generation complete.
Setting up libnih1 (1.0.3-10+b1) ...
Setting up libnih-dbus1 (1.0.3-10+b1) ...
Setting up libssl-dev:amd64 (1.1.1-2) ...
Processing triggers for libc-bin (2.27-8) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
Failed to retrieve available kernel versions.
Restarting services...
invoke-rc.d bind9 restart
invoke-rc.d cgmanager restart
invoke-rc.d cgproxy restart
invoke-rc.d fail2ban restart
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR No section: 'Definition'
invoke-rc.d haveged restart
invoke-rc.d irqbalance restart
invoke-rc.d lvm2-lvmetad restart
invoke-rc.d lvm2-lvmpolld restart
invoke-rc.d lwresd restart
invoke-rc.d mdadm restart
invoke-rc.d mdadm-waitidle restart
invoke-rc.d minissdpd restart
invoke-rc.d nginx restart
invoke-rc.d opendkim restart
invoke-rc.d opendmarc restart
invoke-rc.d php7.2-fpm restart
invoke-rc.d postfix restart
invoke-rc.d redis-server restart
invoke-rc.d rsyslog restart
invoke-rc.d saslauthd restart
invoke-rc.d ssh restart
Services being skipped:
invoke-rc.d dbus restart
No containers need to be restarted.</aurel32@debian.org>
Code language: PHP (php)
On teste notre nouvelle verison d’openssl:
openssl version
Résultat:
OpenSSL 1.1.1 11 Sep 2018
Code language: CSS (css)
Et en un peu plus précis:
dpkg -l '*openssl*' | awk '/^i/{print $2}' | xargs apt-show-versions -a
Code language: JavaScript (javascript)
Résultat:
openssl:amd64 1.1.1-2 install ok installed
openssl:amd64 1.1.0f-3+deb9u2 stable debian.mirrors.ovh.net
openssl:amd64 1.1.0f-3+deb9u2 stable security.debian.org
openssl:amd64 1.1.1-2 sid ftp.debian.org
openssl:amd64/sid 1.1.1-2 uptodate
perl-openssl-defaults:amd64 3 install ok installed
perl-openssl-defaults:amd64 3 stable debian.mirrors.ovh.net
perl-openssl-defaults:amd64 3 sid ftp.debian.org
perl-openssl-defaults:amd64/stable 3 uptodate
python3-openssl:all 16.2.0-1 install ok installed
python3-openssl:all 16.2.0-1 stable debian.mirrors.ovh.net
python3-openssl:all 18.0.0-1 sid ftp.debian.org
python3-openssl:all/stable 16.2.0-1 upgradeable to 18.0.0-1
Mettre à jour les ciphers pour NginX
Il ne nous reste plus qu’à ajouter les nouveaux ciphers pour TLS 1.3 pour les services sécurisés.
Nous mettons donc la configuration des server blocks NginX à jour:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "TLS13+AESGCM+AES128:EECDH+AESGCM:EECDH+CHACHA20";
Code language: CSS (css)
On vérifie la configuration:
nginx -t
et on redémarre le serveur:
service nginx restart
Il ne vous reste plus qu’à vérifier votre configuration TLS sur SSL Labs.