Mudanças entre as edições de "SSL no Gandi"

De MochilaWiki
Ir para navegaçãoIr para pesquisar
Linha 29: Linha 29:
 
* https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me
 
* https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me
  
faltou
+
<source lang="bash">
* https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
+
openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
* https://weakdh.org/
+
cd /etc/ssl/private
* https://en.wikipedia.org/wiki/Forward_secrecy
+
openssl dhparam -out dhparams.pem 2048
http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/
+
chmod 600 dhparams.pem
 
+
</source>
usar sha2
 
  
 
documentação atual
 
documentação atual
Linha 41: Linha 40:
 
* https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
 
* https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
 
* http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
 
* http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
 
+
* http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/
 +
* usar sha2
 
no nginx ficou assim
 
no nginx ficou assim
  

Edição das 14h21min de 5 de dezembro de 2015

  1. Autentique no painel
  2. clique em SSL
  3. selecione o domínio
  4. clique em get
  5. copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/

referencias:

2015

com base em

conforme

openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
cd /etc/ssl/private
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem

documentação atual

no nginx ficou assim

*
    server {
        listen          80;
        server_name quijaua.me www.quijaua.me;
        access_log   /var/log/nginx/iredmail-access.log;
        error_log  /var/log/nginx/iredmail-error.log info;

        location / {
                rewrite ^ https://quijaua.me/mail permanent;
        }
    location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
    }

}

server {
    listen       443;
    server_name  quijaua.me;

    location / {
        root   /usr/share/apache2/;
        index  index.php index.html;
    }
     location ~ \.php$ {
        root            /usr/share/apache2;
        include         fastcgi_params;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
        fastcgi_param   SERVER_NAME $http_host;
        fastcgi_ignore_client_abort on;
    }
    ssl                  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate     /etc/nginx/ssl/quijaua-me.crt22;
    ssl_certificate_key  /etc/nginx/ssl/priv/myserver.key;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/ssl/private/dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}