Fadak.IR Fadak Solutions
English Русский العربية فارسی
Articles Management Studies Language


/ Coumputer / Programming

The concept of SSL and its configuration on web servers


      Related Terms and SSL Glossary
      NGINX SSL Configuration(Configuring HTTPS servers)
      Secure Sockets Layer(SSL)
      PFX file
      SSL Certificate Checker
      Other
      Firefox cannot open this site (OCSP)

Related Terms and SSL Glossary

TLS: Transport Layer Security:TLS is an updated, more secure version of SSL. We still refer to our security certificates as SSL because it’s a more common term, but when you buy SSL from DigiCert, you get the most trusted, up-to-date TLS certificates.
HTTPS: Hyper Text Protocol Secure: HTTPS appears in the URL when a website is secured by an SSL/TLS certificate. Users can view the details of the certificate, including the issuing authority and the corporate name of the website owner, by clicking the lock symbol on the browser bar.

256-bit encryption: Process of scrambling an electronic document using an algorithm whose key is 256 bits in length. The longer the key, the stronger it is.
Asymmetric cryptography: Ciphers that imply a pair of two keys during the encryption and decryption processes. In the world of SSL and TLS, we call them public and private keys.
Certificate signing request (CSR): Machine-readable form of a DigiCert certificate application. A CSR usually contains the public key and distinguished name of the requester.
Certificate authority (CA): Entity authorized to issue, suspend, renew or revoke certificates under a CPS (Certification Practice Statement). CAs are identified by a distinguished name on all certificates and CRLs they issue. A CA must publicize its public key or provide a certificate from a higher-level CA attesting to the validity of its public key if it’s subordinate to a Primary Certification Authority. DigiCert is a Primary Certification Authority (PCA).
Cipher suite: A set of key exchange protocols, which includes the authentication, encryption and message authentication algorithms used within SSL protocols.
Common name (CN): Attribute value within the distinguished name of a certificate. For SSL certificates, the common name is the DNS host name of the site to be secured. For Software Publisher Certificates, the common name is the organization name.
Connection error: Security issues preventing a secure session are flagged when a user tries to access a site.
Domain Validation (DV) SSL Certificates: The most basic level of SSL certificate. Only domain name ownership is validated before the certificate is issued.
Elliptic Curve Cryptography (ECC): Creates encryption keys based on the idea of using points on a curve for the public/private key pair. Extremely difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than pure RSA chain encryption.
Encryption: Process of transforming readable (plaintext) data into an unintelligible form (ciphertext) so the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).
Extended Validation (EV) SSL Certificates: The most comprehensive form of secure certificate. The domain is validated and the company or organization undergoes a strict authentication process.
Key exchange: How users and servers securely establish a pre-master secret for a session.
Look beyond the lock: Our consumer education campaign about how to view high-assurance Extended Validation certificates. In order to combat the meteoric rise of phishing websites on the internet that pose as legitimate companies while using a legitimate Domain Validated certificate and therefore have the same padlock as other certificates.
Master secret: The key material used for a generation of encryption keys, MAC secrets and initialization vectors.
Message Authentication Code (MAC): A one-way hash function arranged over a message and a secret.
Organization Validation (OV) SSL Certificates: A type of SSL certificate that validates ownership of the domain and the existence of the organization behind it.
Padlock: The icon found in the URL bar of most major browsers to signal a website is secured by HTTPS encryption. The padlock is only the first layer of a TLS/SSL certificate. If users click on the padlock icon, they can determine if a website has done its due diligence to keep customers safe online.
Pre-master secret: The key material used for the master secret derivation.
Public key infrastructure (PKI): Architecture, organization, techniques, practices and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. The PKI consists of systems that collaborate to provide and implement the public key cryptographic system, and possibly other related services.
Secure server: Server that protects host web pages using SSL or TLS. When a secure server is in use, the server is authenticated to the user. User information is encrypted by the web browser’s SSL protocol before being sent across the internet. Information can only be decrypted by the host site that requested it.
SAN (Subject Alternative Name) SSL certificates: Type of certificate that allows multiple domains to be secured with one SSL certificate.
SSL: Abbreviation for secure sockets layer. Protocol for web browsers and servers that allows for the authentication, encryption and decryption of data sent over the internet.
SSL certificate: Server certificate that enables authentication of the server to the user and encryption of data transferred between the server and the user.
SSL Handshake: A protocol used within SSL for the purpose of security negotiation.
Symmetric encryption: Encryption method that implies the same key is used both during the encryption and decryption processes.
TCP: Transmission control protocol, one of the main protocols in any network.
Wildcard SSL certificates: Type of certificate used to secure multiple subdomains.

NGINX SSL Configuration(Configuring HTTPS servers)

توجه داشته باشید، هنگام کار با SSL و پروکسی، دو گزینه وجود دارد. این که کدام گزینه را انتخاب کنید بستگی به نیازهای شما دارد، اما در اینجا من فقط گزینه اول را پوشش می‌دهم.
یک گزینه این است که رمزگذاری SSL را در nginx خاتمه دهید و از متن خام برای برقراری ارتباط بین nginx و سرویس وب داخلی خود استفاده کنید. این امر بارگذاری رمزنگاری را بر دوش nginx می‌گذارد و کار کمتری بر روی سرویس وب شما می‌گذارد. اگر سرویس وب شما به طور عمومی در دسترس نیست (مگر از طریق rproxy) و در دستگاه مشابه پروکسی زندگی می‌کند، این به طور کلی یک گزینه امن است. این همان چیزی است که در زیر به آن پرداخته شده است.
گزینه دیگر این است که SSL را از طریق nginx به مقصد نهایی منتقل کنید. این بهتر است اگر خدمات شما در پشت پروکسی بر روی ماشین‌های مختلف زندگی می‌کند، به این ترتیب ارتباطات شبکه از طریق سیم رمزگذاری می‌شود، حتی اگر داخلی باشد. اگر سرویس وب مقصد پشت سر پروکسی روی همان دستگاه پروکسی قرار دارد، رمزگذاری آن از طریق nginx سود کمتری دارد. اگر برنامه شما در انجام SSL کند عمل می‌کند یا اصلاً نمی‌تواند آن را انجام دهد، اجازه دهید nginx آن را مدیریت کند. اگر برنامه شما باید خود سطح SSL را مدیریت کند، آن را از طریق nginx ارسال کنید.
افزودن SSL به سرور در nginx نیاز به افزودن یک کلید واژه ssl به دستور listen و شامل دو گزینه پیکربندی اضافی دارد:
    ssl_certificate
    ssl_certificate_key
گزینه‌های SSL بسیار بیشتری وجود دارد که می‌توانید آنها را در http://nginx.org/en/docs/http/ngx_http_ssl_module.html پیدا کنید، اما  حداقل دو مورد نیاز گواهی و کلید است.

# Template SSL virtual host
server { 
    listen 0.0.0.0:443 ssl;
    listen [::]:443 ssl;
    server_name www.mydomain.com;
    ssl_certificate /path/to/cert.pem
    ssl_certificate_key /path/to/private-key.pem
    # Optional, set strong ciphers
    ssl_ciphers  HIGH:!aNULL:!MD5;
}

Secure Sockets Layer(SSL)

How to install SSL Certificate on NGINX Server Quickly

How to Install SSL Certificate on NGINX Server

SSL/TLS Certificate Installation Instructions - Apache (Linux)

SSL Server Test (Powered by Qualys SSL Labs)

How to Create Your Own SSL Certificate Authority for Local HTTPS Development

I disabled SSL in User Level; Cant enable it now | DirectAdmin Forums

Installing SSL certificate - TinyCP

Installing an SSL Certificate in Linux Command Line

I disabled SSL in User Level; Cant enable it now | DirectAdmin Forums

How to Install SSL Certificate on NGINX Server

How to Install an SSL/TLS Certificate In Nginx - The SSL Store™

Installing an SSL certificate on Nginx - Hosting - Namecheap.com

PFX file

/docs/manmaster/man1/openssl-pkcs12.html

Installing Certificate PFX into Debian Linux – Liam Cleary [MVP Alumni and MCT]

openssl - Convert an old style .p12 to .pem (unsupported algorithm RC2-40-CBC) - Stack Overflow

Prism - How to extract CA Chain, Public Certificate and RSA Key from PFX file

Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku - SSL Certificates - Namecheap.com

Prism - How to extract CA Chain, Public Certificate and RSA Key from PFX file

SSL Certificate Checker

SSL Server Test (Powered by Qualys SSL Labs)

SSL Certificate Checker

SSL Checker

Other

ocsp.startssl.com

خرید ssl - گواهی ssl - گواهینامه اس اس ال و HTTPS - مبین‌هاست

SSL Checker

امنیت سایت با خرید ssl - خرید اس اس ال- گواهینامه ssl- ssl ارزان - خرید ssl

مدیریت گواهینامه‌های دامنه

ssl رایگان، معتبر و همیشگی، صدور تا نصب در 4 دقیقه! | XVPS

Нужен бесплатный SSL-сертификат? Легко / Хабр

NGINX SSL Termination | NGINX Documentation

internet - Edge HTTPS Certificate Issue: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED - Super User

Nginx SSL configuration not working on mobile browsers - Stack Overflow

Firefox cannot open this site (OCSP)

OCSP (Online Certificate Status Protocol) ensures that the current status of a given SSL certificate is always communicated to the web server and the client's browser. This protocol provides updates on if a certificate has been revoked, so the browser knows to refuse the connection. Traditionally the requesting browser makes these checks with the OCSP provider, which extends the time a full SSL/TLS handshake takes and, as a result, makes HTTPS connections longer.
cPanel's Apache installation, by default, implements a technology known as 'OCSP Stapling,' which functions as a type of caching for the OCSP status. Essentially after making the first OCSP connection, the status is "stapled" to the SSL/TLS handshake from the server end, which reduces a significant load on the connecting browser and makes HTTPS connections faster.
The above error comes into play when OCSP Stapling fails because the host server couldn't connect to the certificate authority's OCSP server. This can happen for a variety of reasons. Common reasons include DNS caching causing your server to try connecting to the wrong Ip address, network issues preventing your server from reaching the OCSP server, or the certificate authority may be experiencing service issues.
Many certificate authorities tend to rotate and change the IP addresses where their OCSP server is hosted fairly frequently. This can result in servers trying to access an old IP address for the server, which may fail. This can be verified by checking what your server resolves the OCSP server to versus what a common public DNS resolver resolves.
The most common reason for sites reporting OCSP errors is network errors. Often, as a result of datacenter blocks, server firewalls, or other network interferences, the server is unable to connect to the necessary OCSP server. This can most reliably be verified by simply trying to ping (ping6 for servers with IPv6 configured) the OCSP server in your error.
Infrequently, certificate authorities may have service downtime with their OCSP responder servers. Certificate authorities, such as Sectigo, offer ways to check their service status and will announce if they're experiencing OCSP issues. If there are systemic issues with the OCSP responder servers, there will likely be a notice on their status page and, ideally, a projected ETA for service to be restored.

 
 

 

 


Articles
Digital Media
Humanities
IT Management
Coumputer
Miscellaneous
Product & Services
About Fadak
Management
Contemporary Management Journal
Managerial Verses
Photography Quotes
Photo is written
Management Researcher Bank
Management articles titles
Educational Resources (Seminary & University)
Studies
Observatory - Personalities
Observatory - Cultural
Observatory - Academic
Observatory - Media
Observatory - scientific events
Language
Dictionary
Russian Language Test
Russian Proverb
English Proverb
Four language sentences
logo-samandehi
About | Contact With Us | Privacy Policy | Terms | Cookies Policy |
Version (Pre-Alpha) 2000-2022 CMS Fadak. ||| Version : 5.2 ||| By: Fadak Solutions Old Version