Solving “Connection is encrypted using obsolete cipher suite” warning from Chrome

Here is a how to on how to solve the dreaded warning “Your connection is encrypted using obsolete cipher suit” from Google Chrome.

Firstly the warning had nothing to do with using cheap or self-signed TLS/SSL security certificate, but it has to do with cipher suite used on the server part.

obsolete-cipher-suite

So if you are a system administrator, you can edit the site config to include a more modern cipher.

NGINX Server

Using nginx, add the line containing “ssl_cipers” to the site config.

# /etc/nginx/sites-enable/example.conf 
server {
 listen 443 ssl;
 root /var/www/example.com/;
 server_name example.com;
   ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA';

        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
...
...
...

}

sudo service nginx restart

Apache HTTP Server

For those who are using Apache HTTP server, you can edit the VirtualHost file from “/etc/apache2/sites-enable/” directory.

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile   /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs

    # Intermediate configuration, tweak to your needs
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA
    SSLHonorCipherOrder     on
    SSLCompression          off

    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    # On Apache 2.4+, SSLStaplingCache must be set *outside* of the VirtualHost
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 
    # Enable this if your want HSTS (recommended)
    # Header add Strict-Transport-Security "max-age=15768000"
 
    ...
</VirtualHost>

You can restart Apache HTTP server by running

sudo service apache2 restart

Generating TLS/SSL Self Signed Certificate for Nginx in Ubuntu LTS

This post concerns on generating self-signed TLS/SSL certificate for Nginx in Ubuntu LTS and assumes that you’ve configured nginx server with a default site.

Step 1: Generate OpenSSL certificate

sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Palo Alto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mypapit LLC
Organizational Unit Name (eg, section) []:Billing
Common Name (e.g. server FQDN or YOUR name) []:Mypapit
Email Address []:mypapit+cert@gmail.com

Step 2: Edit nginx site config

You can edit nginx site config here, replace ‘default’ with your own server config.


sudo nano -c /etc/nginx/sites-enable/default

You will see this server block.


server {
        listen 80;
        listen [::]:80;
        server_name your_domain.com;
        root /var/www/your_domain.com;
        index index.html index.htm;

...
...
}

Add additional line (in italic)

server {
        listen 80;
        listen [::]:80;

    listen 443 ssl;

       server_name your_domain.com;
        root /var/www/your_domain.com;
      index index.html index.htm;

        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security max-age=31536000;



...
...
}

Save file, and restart nginx server

sudo nginx -t
sudo service nginx restart

Test configuration by going to https://your_domain.com.

Done!

Bonus: Add HSTS header and Serve only TLS

HSTS header

Moved to Singapore!

The server finally has a new home! I finally had the time to look back into this aging blog and decided to moved it to a new datacenter in Singapore!

The new blog also features SSL-only connection which added a layer of privacy between the blog and your browsers.

You can expect more updates from now on!

How to setup Secure Webserver HTTPS (SSL) on Apache in Ubuntu

Secure HTTP (SSL/TLS) has become a must if you are planning to setup a website which includes user authentication (ie. login box) or sensitive data. HTTPS prevents the sensitive data from being transfered across the network in clear text where it is susceptible to being sniffed or altered. Here is the tutorial on how to setup a secure HTTP on Apache web server in Ubuntu 10.04 (Lucid Lynx).

What do you need?

  • apache2 (Web Server)
  • openssl
  • A bit patient, because it will take some time to learn

Step 1: Create a self-signed certificate
You need to create a self-signed certificate with openssl. To do that you will need to generate the server key.


openssl genrsa -des3 -out server-sec.key 4096

…and certificate signing request (CSR)


openssl req -new -key server-sec.key -out server.csr

After that, generate the server certificate by signing it with the server key.

openssl x509 -req -days 365 -in server.csr -signkey server-sec.key -out server.crt

Keep the server-sec.key in a secure location, with read/write permission assigned only to root. Then generate a password-less copy of the key for Apache use.

openssl rsa -in server-sec.key -out server.key

By this time, you should have :

  • server.key (passwordless key for Apache)
  • server.csr (certificate signing request)
  • server.crt (certificate)
  • server-sec.key (server key)

Continue reading “How to setup Secure Webserver HTTPS (SSL) on Apache in Ubuntu”