NetTalk Central

Author Topic: some SSL/TLS questions  (Read 4311 times)

tglomb

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
    • AObit Software
    • Email
some SSL/TLS questions
« on: February 18, 2014, 11:52:49 AM »
Hello,
I'm starting with a new NT project which must be all SSL/TLS.
1. Every of my customers will run the Webserver totally Independent of each other on their own machines with their own web address and DNS entry. Do I need a seperate SSL certificate for each customer server or can I use one for all which is personalized to me/my company ?
2. I know that SSL certificates have a limited lifetime. What happens if a certificate runs out regarding the workability of the webserver ? Do I need only to copy the renewed certificate files into the appropriate folder and replace the old ones ?
3. TLS Version 1.2 with AES256 is the best regarding security !? Can I force NT to use it ?
4. Any ideas for the most secure Login mechanism for the users of my customers (users and passwords stored in the DB of each customer) ?
Thanks in advance,
Thomas

debzidoodle

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
    • Email
Re: some SSL/TLS questions
« Reply #1 on: February 18, 2014, 12:15:53 PM »
You could use a wildcard certificate, this would allow you to use *.yourDomainName.com for your clients URL's.  But if they will be completely different URLs then you need different certs for each one.

To me it sounds like a real pain to have everyone on their own machines, so I would really thing about if this is really needed, it will significantly increase your work load to do it this way.

hope that helps,
Debra

tglomb

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
    • AObit Software
    • Email
Re: some SSL/TLS questions
« Reply #2 on: February 18, 2014, 03:30:37 PM »
Thanks Debra,
F***, I feared it. But I have no choice..
I know the process for getting a code signing cert. Does it mean that my customers must buy its SSL certs by themselfs (regarding the proofs by the CA) ?
TIA, Thomas

debzidoodle

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
    • Email
Re: some SSL/TLS questions
« Reply #3 on: February 18, 2014, 04:52:39 PM »
That will depend on the type of cert they are after.  If they want a cert that says their identity is verified, or one that has the green bar with their name (like you see on github) then yeah they will likely need to get it on their own.  You can also do a cert that they do not verify your identity, but rather just the domain name...  look at http://www.instantssl.com and look at their Essential SSL certificate, obtaining these are much faster, but the certificate will not say the identity is verified.  So it all depends on what you need.

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11244
    • View Profile
Re: some SSL/TLS questions
« Reply #4 on: February 18, 2014, 07:56:47 PM »
>> 1. Do I need a separate SSL certificate for each customer server

yes.  Specifically you need a separate SSL certificate for each domain name. Which implies that they will need their own domain. (For intranet apps this gets icky)

>> 2. I know that SSL certificates have a limited lifetime. What happens if a certificate runs out regarding the workability of the webserver ?

users browsing to the site will get all kinds of scary warnings (at best) or their browser may refuse to access the site at all.

>> Do I need only to copy the renewed certificate files into the appropriate folder and replace the old ones ?

yes.

>> 3. TLS Version 1.2 with AES256 is the best regarding security !? Can I force NT to use it ?

I haven't explicitly explored this as an option, but I believe OpenSSL (which is the SSL we use) has "partial" support for TLS 1.2. The "partial" meaning that the Suite B of ciphers is not yet supported. You can specify the SSL or TLS level, so I'm guessing fixing it to TLS1.2 should not be too hard.

>> 4. Any ideas for the most secure Login mechanism for the users of my customers (users and passwords stored in the DB of each customer) ?

for starters you don't store the Password at all. What you do is
a) add a "Salt" field, which is a non-secret, random string field for each user.
b) create a HASH (Sha-256) of the Salt & Password and store this in the database.
c) when the user logs in, calculate a HASH of the Salt & WhatTheyTypedIn and see if the two hashes match.

This is considered to be a best-practice - in the event of the data being compromised actual passwords are not exposed.

Cheers
Bruce


tglomb

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
    • AObit Software
    • Email
Re: some SSL/TLS questions
« Reply #5 on: February 19, 2014, 05:02:34 AM »
Debra and Bruce - Thank you !
I'll for sure come back here after some re-investigations and first trials. Have a nice day.
Regards, Thomas

tglomb

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
    • AObit Software
    • Email
Re: some SSL/TLS questions
« Reply #6 on: February 19, 2014, 05:43:19 AM »
BTW I found a very interesting and enlightening site..

https://crackstation.net/hashing-security.htm

Enjoy !

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11244
    • View Profile
Re: some SSL/TLS questions
« Reply #7 on: February 20, 2014, 01:42:03 AM »
good link - well worth a read for those who want to understand the background.

cheers
Bruce