아파치 TLSv1.3 적용(feat. openssl)# Web&WAS/Apache2022. 5. 4. 20:05
Table of Contents
728x90
반응형
설치환경
$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)$ ./apachectl -V
Server version: Apache/2.4.53 (Unix)
Server built: Apr 27 2022 14:08:18
Server's Module Magic Number: 20120211:124
Server loaded: APR 1.7.0, APR-UTIL 1.6.1, PCRE 8.32 2012-11-30
Compiled using: APR 1.7.0, APR-UTIL 1.6.1, PCRE 8.32 2012-11-30
Architecture: 64-bit
Server MPM: worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/apps/apache-2.4.53"
-D SUEXEC_BIN="/apps/apache-2.4.53/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
기존 openssl tlsv1.3확인
$ openssl ciphers -v | grep -i 'tlsv1.3'
$ openssl ciphers -v | grep -i 'tlsv1.2'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
최신버전 openssl 다운로드
https://www.openssl.org/source/openssl-1.1.1o.tar.gz
openssl 설치
$ tar -xvzf openssl-1.1.1o.tar.gz$ ./config --prefix=/usr/local/openssl-1.1.1o --openssldir=/usr/local/openssl-1.1.1o shared
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1o (0x101010ffL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
$ make && make install
공유 라이브러리 등록
$ vi /etc/ld.so.conf.d/openssl.conf
/usr/local/openssl-1.1.1o/lib
$ ldconfig
신규 openssl tlsv1.3확인
$ /usr/local/openssl-1.1.1o/bin/openssl ciphers -v | grep -i 'tlsv1.3'
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
openssl관련 라이브러리 확인 및 추가
$ ll /usr/lib64 | grep libssl
lrwxrwxrwx 1 root root 16 1월 18 14:23 libssl.so -> libssl.so.1.0.2k
-rwxr-xr-x 1 root root 470376 10월 14 2021 libssl.so.1.0.2k
lrwxrwxrwx 1 root root 16 1월 18 14:23 libssl.so.10 -> libssl.so.1.0.2k
-rwxr-xr-x 1 root root 412984 12월 4 02:57 libssl3.so
$ ln -s /usr/local/openssl-1.1.1o/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
$ ln -s /usr/local/openssl-1.1.1o/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
$ which openssl
/usr/bin/openssl
$ cd /usr/bin/openssl
$ mv openssl openssl_1.0.2k
$ ln -s /usr/local/openssl-1.1.1o/bin/openssl /usr/bin/openssl
$ ls -l | grep openssl
lrwxrwxrwx 1 root root 37 5월 11 14:05 openssl -> /usr/local/openssl-1.1.1o/bin/openssl
-rwxr-xr-x 1 root root 555304 10월 14 2021 openssl_1.0.2k
$ openssl version
OpenSSL 1.1.1o 3 May 2022
아파치 openssl 연동 확인
$ curl --head localhost
HTTP/1.1 302 Found
Date: Wed, 11 May 2022 05:17:04 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.48
Location: https://localhost/
Content-Type: text/html; charset=iso-8859-1
아파치 재설치
$ ./configure --prefix=/apps/apache-2.4.53 \
--with-apr=/apps/apr \
--with-apr-util=/apps/apr-util \
--with-ssl=/usr/local/openssl-1.1.1o \
--enable-so \
--enable-rewrite \
--enable-expires \
--enable-deflate \
--enable-headers \
--enable-ssl \
--with-mpm=worker
$ make && make install
아파치 신규 openssl연동 확인
$ curl --head localhost
HTTP/1.1 302 Found
Date: Wed, 11 May 2022 05:33:29 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o mod_jk/1.2.48
Location: https://localhost/
Content-Type: text/html; charset=iso-8859-1$ ldd mod_ssl.so
linux-vdso.so.1 => (0x00007fff31ba9000)
libssl.so.1.1 => /usr/local/openssl-1.1.1o/lib/libssl.so.1.1 (0x00007fc13f22f000)
libcrypto.so.1.1 => /usr/local/openssl-1.1.1o/lib/libcrypto.so.1.1 (0x00007fc13ed44000)
librt.so.1 => /lib64/librt.so.1 (0x00007fc13eb3c000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fc13e905000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc13e6e9000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc13e4e5000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc13e117000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fc13df14000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc13f700000)
tlsv1.3연결 확인
$ curl --tlsv1.3 localhost
Qualys SSL Labs
Books Bulletproof SSL and TLS is a complete guide to deploying secure servers and web applications. This book, which provides comprehensive coverage of the ever-changing field of SSL/TLS and Web PKI, is intended for IT security professionals, system admini
www.ssllabs.com
728x90
반응형
'# Web&WAS > Apache' 카테고리의 다른 글
| 아파치 워드프레스 xmlrpc 차단 및 특정ip허용 (0) | 2022.10.20 |
|---|---|
| 아파치 일반사용자 권한 실행 (0) | 2022.09.20 |
| 아파치 v2.0 to v2.2(only tls1.2) 업그레이드(centos5x) (0) | 2021.12.02 |
| 아파치 메소드(method) 제한 및 확인 (0) | 2021.11.04 |
| 아파치 SSL인증서 암호(password) 자동입력 스크립트(script) (0) | 2021.06.22 |
@다크쉐라빔 :: 다크쉐라빔의 주절주절
안녕하세요. 이곳은 IT위주의 잡다한 정보를 올려두는 개인 블로그입니다.
포스팅이 좋았다면 "좋아요❤️" 또는 "구독👍🏻" 해주세요!
