~~NOTOC~~
====== Szenario 10.1: TLS-Server einrichten ======
**Kategorie:** [[.:start|TLS/mTLS]] \\
**Komplexität:** ⭐⭐⭐ (Mittel) \\
**Voraussetzungen:** Server-Zertifikat, Private Key \\
**Geschätzte Zeit:** 20-30 Minuten
----
===== Beschreibung =====
Dieses Szenario beschreibt die **Einrichtung eines TLS-Servers** mit Post-Quantum-sicheren Zertifikaten. TLS 1.3 ist Pflicht für moderne Sicherheit.
**Komponenten:**
* Server-Zertifikat (ML-DSA oder Hybrid)
* Zertifikatskette (Intermediate + Root)
* TLS-Konfiguration
* Cipher Suites
----
===== Workflow =====
flowchart LR
CERT[Zertifikat vorbereiten] --> CHAIN[Kette erstellen]
CHAIN --> CONFIG[TLS konfigurieren]
CONFIG --> TEST[Testen]
TEST --> DEPLOY[Deployment]
style CONFIG fill:#e8f5e9
----
===== Code-Beispiel: ASP.NET Core Kestrel =====
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Server.Kestrel.Https;
var builder = WebApplication.CreateBuilder(args);
builder.WebHost.ConfigureKestrel(options =>
{
options.ListenAnyIP(443, listenOptions =>
{
listenOptions.UseHttps(httpsOptions =>
{
// Server-Zertifikat laden
httpsOptions.ServerCertificate = LoadCertificateChain(
"server.crt.pem",
"server.key.pem",
"intermediate-ca.crt.pem"
);
// TLS 1.3 erzwingen
httpsOptions.SslProtocols = SslProtocols.Tls13;
// OCSP Stapling aktivieren
httpsOptions.OnAuthenticate = (context, sslOptions) =>
{
sslOptions.CertificateRevocationCheckMode = X509RevocationMode.Online;
};
});
// HTTP/2 aktivieren
listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
});
});
var app = builder.Build();
// HSTS aktivieren
app.UseHsts();
app.MapGet("/", () => "TLS Server aktiv");
app.Run();
static X509Certificate2 LoadCertificateChain(
string certPath,
string keyPath,
string chainPath)
{
using var ctx = PqCryptoContext.Initialize();
// Server-Zertifikat mit Private Key
var cert = ctx.LoadCertificateWithPrivateKey(certPath, keyPath, null);
// Chain hinzufügen (für vollständige Kette)
var intermediate = ctx.LoadCertificate(chainPath);
// PFX mit Chain erstellen
var pfxBytes = ctx.ExportToPfx(cert, cert.GetRSAPrivateKey(), new[] { intermediate }, null);
return new X509Certificate2(pfxBytes);
}
----
===== Nginx Konfiguration =====
server {
listen 443 ssl http2;
server_name www.example.com;
# Server-Zertifikat (mit Chain)
ssl_certificate /etc/nginx/ssl/server-chain.pem;
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
# TLS 1.3 only
ssl_protocols TLSv1.3;
# Cipher Suites (TLS 1.3 default)
# ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/ca-chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
# Session-Konfiguration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
location / {
proxy_pass http://backend:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
----
===== Apache Konfiguration =====
ServerName www.example.com
# SSL aktivieren
SSLEngine on
# Zertifikate
SSLCertificateFile /etc/apache2/ssl/server.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/server.key.pem
SSLCertificateChainFile /etc/apache2/ssl/intermediate-ca.crt.pem
# TLS 1.3 only
SSLProtocol -all +TLSv1.3
# OCSP Stapling
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Compression deaktivieren (BREACH)
SSLCompression off
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
----
===== Zertifikatskette erstellen =====
# Server-Zertifikat + Intermediate = Chain
cat server.crt.pem intermediate-ca.crt.pem > server-chain.pem
# Reihenfolge prüfen
openssl crl2pkcs7 -nocrl -certfile server-chain.pem | openssl pkcs7 -print_certs -noout
# Chain validieren
openssl verify -CAfile root-ca.crt.pem -untrusted intermediate-ca.crt.pem server.crt.pem
----
===== TLS-Konfiguration testen =====
# SSL Labs API (wenn öffentlich)
# https://www.ssllabs.com/ssltest/
# Lokaler Test mit OpenSSL
openssl s_client -connect localhost:443 -tls1_3 -brief
# Cipher Suites prüfen
openssl s_client -connect localhost:443 -cipher 'TLS_AES_256_GCM_SHA384' /dev/null | openssl x509 -text -noout
# OCSP Stapling prüfen
openssl s_client -connect localhost:443 -status /dev/null | grep -A 5 "OCSP Response"
# testssl.sh (umfassend)
./testssl.sh localhost:443
----
===== C# Test-Client =====
public async Task TestTlsConnection(string url)
{
var handler = new HttpClientHandler
{
ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
{
Console.WriteLine($"Server: {cert.Subject}");
Console.WriteLine($"Issuer: {cert.Issuer}");
Console.WriteLine($"Algorithm: {cert.SignatureAlgorithm.FriendlyName}");
Console.WriteLine($"Valid until: {cert.NotAfter}");
if (chain != null)
{
Console.WriteLine($"Chain length: {chain.ChainElements.Count}");
foreach (var element in chain.ChainElements)
{
Console.WriteLine($" - {element.Certificate.Subject}");
}
}
if (errors != SslPolicyErrors.None)
{
Console.WriteLine($"SSL Errors: {errors}");
return false;
}
return true;
}
};
using var client = new HttpClient(handler);
var response = await client.GetAsync(url);
Console.WriteLine($"Status: {response.StatusCode}");
Console.WriteLine($"Protocol: {response.Version}");
}
----
===== Branchenspezifische TLS-Anforderungen =====
^ Branche ^ Min. TLS ^ Cipher Suites ^ Besonderheit ^
| **PCI-DSS** | TLS 1.2+ | Starke Ciphers | Jährliche Prüfung |
| **HIPAA** | TLS 1.2+ | AES-256 | Audit-Logging |
| **BSI TR-02102** | TLS 1.2+ | BSI-konforme Suites | PFS Pflicht |
| **Energie/SCADA** | TLS 1.2+ | ICS-spezifisch | Langzeit-Support |
----
===== Verwandte Szenarien =====
^ Beziehung ^ Szenario ^ Beschreibung ^
| **Voraussetzung** | [[de:int:pqcrypt:szenarien:zertifikate:server_cert|3.1 Server-Zertifikat]] | Cert erstellen |
| **Nächster Schritt** | [[.:client_config|10.2 TLS-Client]] | Client konfigurieren |
| **Erweiterung** | [[.:mtls_deployment|10.3 mTLS Deployment]] | Gegenseitige Auth |
----
<< [[.:start|← TLS-Übersicht]] | [[de:int:pqcrypt:szenarien:start|↑ Szenarien]] | [[.:client_config|10.2 TLS-Client →]] >>
{{tag>szenario tls server nginx kestrel https}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//