logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Letsencrypt: Prevent MITM with TLS and OCSP

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
fred



Joined: 01 Sep 2018
Posts: 3
Location: Germany, Hamburg

PostPosted: Mon 03 Sep '18 1:39    Post subject: Letsencrypt: Prevent MITM with TLS and OCSP Reply with quote

Hi,
some Enterprises use Client-Side Software to break SSL-Traffic.
This is done by installing CA's to the local Clients CA-Store to simulate a legit SSL-Connection, but then sniffing (MITM) the 'secure connection'.
You can easily see this when looking at the Certificate-Issuer inside your current browser and comparing it to the visited site name itself. If the CA-Issuer isnt publicy known (self signed), you should wonder.
You can prevent breaking this by creating letsencrypt-certs with the OCSP '--must-staple'-Option.
By this the apache2 sends the CA-confirmation via its TLS-Stream and the client doesnt need to check against his local ca-certs and if its 'not ok', the browser throws a error.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6472
Location: Germany, Next to Hamburg

PostPosted: Wed 05 Sep '18 11:41    Post subject: Reply with quote

I always install my certs by hand and not always use Let's encreypt. What does --must-staple to the apache config file?
Back to top
fred



Joined: 01 Sep 2018
Posts: 3
Location: Germany, Hamburg

PostPosted: Sat 08 Sep '18 3:26    Post subject: Reply with quote

I install them also by hand and before letsencrypt i had zero experiences with 'real ca's'.
That '--must staple' is a parameter while creating letsencrypt-certs and i dont know how you can recreate this on any other 'ssl-providers'.
On the apache2-side you dont need any additional config-options, because that 'must-staple'-state is enforced by the cert itself.
You can check if its currenty running for ex. with dev.ssllabs.com.
When its enabled its tells it in the first part of the rest-result: "OCSP Must Staple Supported"
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1