Sécuriser les VirtualHosts d’Apache grâce à GnuTLS

Installation des paquets nécessaires.
aptitude install gnutls-bin libapache2-mod-gnutls

Commençons par la création d’un répertoire de stockage pour les certificats. Le répertoire est donné à titre d’exemple, libre à vous de le changer.

mkdir -p /etc/certs/gnutls
cd /etc/certs/gnutls

Génération de la clé Diffie-Hellman
certtool --generate-dh-params --outfile dh.key

Création du modèle pour signer la clé. Dans mon cas, il s’appellera « ca.tpl » et aura ce contenu.

# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "Mon entreprise"

# The organizational unit of the subject.
#unit = ""

# The locality of the subject.
locality = MaVille

# The state of the certificate owner.
state = "Région"

# The country of the subject. Two letter code.
country = FR

# The common name of the certificate owner.
cn = "CA"

# A user id of the certificate owner.
#uid = "clauper"

# If the supported DN OIDs are not adequate you can set
# any OID here.
# For example set the X.520 Title and the X.520 Pseudonym
# by using OID and string pairs.
#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"

# This is deprecated and should not be used in new
# certificates.
# pkcs9_email = "none@none.org"

# The serial number of the certificate
serial = 2012013001

# In how many days, counting from today, this certificate will expire.
expiration_days = 1825

# X.509 v3 extensions

# A dnsname in case of a WWW server.
#dns_name = "*.societe.fr"

# An IP address in case of a server.
#ip_address = "192.168.1.1"

# An email in case of a person
#email = "none@none.org"

# An URL that has CRLs (certificate revocation lists)
# available. Needed in CA certificates.
crl_dist_points = "http://societe.fr/ca-crl.crt"

# Whether this is a CA certificate or not
ca

# Whether this certificate will be used for a TLS client
#tls_www_client

# Whether this certificate will be used for a TLS server
#tls_www_server

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
#signing_key

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
#encryption_key

# Whether this key will be used to sign other certificates.
cert_signing_key

# Whether this key will be used to sign CRLs.
crl_signing_key

# Whether this key will be used to sign code.
#code_signing_key

# Whether this key will be used to sign OCSP data.
#ocsp_signing_key

# Whether this key will be used for time stamping.
#time_stamping_key

# Whether this key will be used for IPsec IKE operations.
#ipsec_ike_key

Génération de la clé d’autorité (CA). Cette clé est la plus importante et ne devra jamais être divulguée !

certtool --generate-privkey --outfile ca.key
certtool --generate-self-signed --load-privkey ca.key  --template ca.tpl --outfile ca.crt

Changement des droits sur la clé d’autorité.

chmod 600 ca.key
chown root:root ca.key

Génération du clé privée pour Apache.
certtool --generate-privkey --outfile apache.key

Création du modèle pour signer la clé. Dans mon cas, il s’appellera « apache.tpl » et aura ce contenu.

# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "Mon entreprise"

# The organizational unit of the subject.
#unit = ""

# The locality of the subject.
locality = MaVille

# The state of the certificate owner.
state = "Région"

# The country of the subject. Two letter code.
country = FR

# The common name of the certificate owner.
cn = "Apache"

# A user id of the certificate owner.
#uid = "clauper"

# If the supported DN OIDs are not adequate you can set
# any OID here.
# For example set the X.520 Title and the X.520 Pseudonym
# by using OID and string pairs.
#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"

# This is deprecated and should not be used in new
# certificates.
# pkcs9_email = "none@none.org"

# The serial number of the certificate
serial = 2012013002

# In how many days, counting from today, this certificate will expire.
expiration_days = 1825

# X.509 v3 extensions

# A dnsname in case of a WWW server.
dns_name = "*.societe.fr"

# An IP address in case of a server.
#ip_address = "192.168.1.1"

# An email in case of a person
#email = "none@none.org"

# An URL that has CRLs (certificate revocation lists)
# available. Needed in CA certificates.
#crl_dist_points = "http://societe.fr/ca-crl.crt"

# Whether this is a CA certificate or not
#ca

# Whether this certificate will be used for a TLS client
#tls_www_client

# Whether this certificate will be used for a TLS server
tls_www_server

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
#signing_key

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
#encryption_key

# Whether this key will be used to sign other certificates.
#cert_signing_key

# Whether this key will be used to sign CRLs.
#crl_signing_key

# Whether this key will be used to sign code.
#code_signing_key

# Whether this key will be used to sign OCSP data.
#ocsp_signing_key

# Whether this key will be used for time stamping.
#time_stamping_key

# Whether this key will be used for IPsec IKE operations.
#ipsec_ike_key

Génération du certificat pour les sites d’Apache. Normalement tout est automatisé, aucune interaction ne sera nécessaire.
certtool --generate-certificate --load-privkey apache.key --load-ca-certificate ca.crt --load-ca-privkey ca.key --template apache.tpl --outfile apache.crt

Génération du fichier de contrôle des certificats révoqués.
certtool --generate-crl --load-ca-privkey ca.key --load-ca-certificate ca.crt --outfile ca-crl.crt

Génération d’un certificat pour permettre l’importation plus facile dans un navigateur.
certtool -i --infile ca.crt --outder --outfile x509-ca.crt

Désactivation du module OpenSSL s’il est déjà actif, pour mettre GnuTLS à la place.

a2dismod ssl
a2enmod gnutls

Modifier le fichier de configuration d’un VirtualHost que l’on souhaite sécuriser. Voici le contenu d’un de mes fichiers.

<VirtualHost *:443>

	GnuTLSEnable on
	GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
	GnuTLSDHFile /etc/certs/gnutls/dh.key
	GnuTLSClientCAFile /etc/certs/gnutls/ca.crt
	GnuTLSCertificateFile /etc/certs/gnutls/apache.crt
	GnuTLSKeyFile /etc/certs/gnutls/apache.key

	ServerName test.societe.fr:443

	DocumentRoot /var/www/test

	<Directory /var/www/test>
		Options SymLinksIfOwnerMatch
		AllowOverride All
		Order Allow,Deny
		Allow from All
	</Directory>

	LogLevel warn
	ErrorLog ${APACHE_LOG_DIR}/error-test.log
	CustomLog ${APACHE_LOG_DIR}/access-test.log combined

</VirtualHost>

Il ne reste plus qu’à recharger le démon Apache pour prendre en compte nos modifications.
service apache2 reload

Le blog est maintenant sécurisé

Dans le but de rendre le blog un peu plus sécurisé, celui-ci est maintenant doté de certificats de chiffrement pour toute la partie d’administration. A terme, c’est tout le blog qui sera accessible de façon cryptée ! Un truc pour les paranoïaques de la sécurité 🙄 ^^

Cette sécurisation a été rendu possible grâce au module GnuTLS pour le serveur Apache.