Kategorie: TLS/mTLS
Komplexität: ⭐⭐⭐ (Mittel)
Voraussetzungen: Server-Zertifikat, Private Key
Geschätzte Zeit: 20-30 Minuten
Dieses Szenario beschreibt die Einrichtung eines TLS-Servers mit Post-Quantum-sicheren Zertifikaten. TLS 1.3 ist Pflicht für moderne Sicherheit.
Komponenten:
using Microsoft.AspNetCore.Server.Kestrel.Core; using Microsoft.AspNetCore.Server.Kestrel.Https; var builder = WebApplication.CreateBuilder(args); builder.WebHost.ConfigureKestrel(options => { options.ListenAnyIP(443, listenOptions => { listenOptions.UseHttps(httpsOptions => { // Server-Zertifikat laden httpsOptions.ServerCertificate = LoadCertificateChain( "server.crt.pem", "server.key.pem", "intermediate-ca.crt.pem" ); // TLS 1.3 erzwingen httpsOptions.SslProtocols = SslProtocols.Tls13; // OCSP Stapling aktivieren httpsOptions.OnAuthenticate = (context, sslOptions) => { sslOptions.CertificateRevocationCheckMode = X509RevocationMode.Online; }; }); // HTTP/2 aktivieren listenOptions.Protocols = HttpProtocols.Http1AndHttp2; }); }); var app = builder.Build(); // HSTS aktivieren app.UseHsts(); app.MapGet("/", () => "TLS Server aktiv"); app.Run(); static X509Certificate2 LoadCertificateChain( string certPath, string keyPath, string chainPath) { using var ctx = PqCryptoContext.Initialize(); // Server-Zertifikat mit Private Key var cert = ctx.LoadCertificateWithPrivateKey(certPath, keyPath, null); // Chain hinzufügen (für vollständige Kette) var intermediate = ctx.LoadCertificate(chainPath); // PFX mit Chain erstellen var pfxBytes = ctx.ExportToPfx(cert, cert.GetRSAPrivateKey(), new[] { intermediate }, null); return new X509Certificate2(pfxBytes); }
server { listen 443 ssl http2; server_name www.example.com; # Server-Zertifikat (mit Chain) ssl_certificate /etc/nginx/ssl/server-chain.pem; ssl_certificate_key /etc/nginx/ssl/server.key.pem; # TLS 1.3 only ssl_protocols TLSv1.3; # Cipher Suites (TLS 1.3 default) # ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; ssl_prefer_server_ciphers off; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/ca-chain.pem; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Security Headers add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; # Session-Konfiguration ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; location / { proxy_pass http://backend:8080; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
<VirtualHost *:443> ServerName www.example.com # SSL aktivieren SSLEngine on # Zertifikate SSLCertificateFile /etc/apache2/ssl/server.crt.pem SSLCertificateKeyFile /etc/apache2/ssl/server.key.pem SSLCertificateChainFile /etc/apache2/ssl/intermediate-ca.crt.pem # TLS 1.3 only SSLProtocol -all +TLSv1.3 # OCSP Stapling SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # HSTS Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Compression deaktivieren (BREACH) SSLCompression off <Directory /var/www/html> Options -Indexes +FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost>
# Server-Zertifikat + Intermediate = Chain cat server.crt.pem intermediate-ca.crt.pem > server-chain.pem # Reihenfolge prüfen openssl crl2pkcs7 -nocrl -certfile server-chain.pem | openssl pkcs7 -print_certs -noout # Chain validieren openssl verify -CAfile root-ca.crt.pem -untrusted intermediate-ca.crt.pem server.crt.pem
# SSL Labs API (wenn öffentlich) # https://www.ssllabs.com/ssltest/ # Lokaler Test mit OpenSSL openssl s_client -connect localhost:443 -tls1_3 -brief # Cipher Suites prüfen openssl s_client -connect localhost:443 -cipher 'TLS_AES_256_GCM_SHA384' </dev/null # Zertifikatskette prüfen openssl s_client -connect localhost:443 -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout # OCSP Stapling prüfen openssl s_client -connect localhost:443 -status </dev/null 2>/dev/null | grep -A 5 "OCSP Response" # testssl.sh (umfassend) ./testssl.sh localhost:443
public async Task TestTlsConnection(string url) { var handler = new HttpClientHandler { ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { Console.WriteLine($"Server: {cert.Subject}"); Console.WriteLine($"Issuer: {cert.Issuer}"); Console.WriteLine($"Algorithm: {cert.SignatureAlgorithm.FriendlyName}"); Console.WriteLine($"Valid until: {cert.NotAfter}"); if (chain != null) { Console.WriteLine($"Chain length: {chain.ChainElements.Count}"); foreach (var element in chain.ChainElements) { Console.WriteLine($" - {element.Certificate.Subject}"); } } if (errors != SslPolicyErrors.None) { Console.WriteLine($"SSL Errors: {errors}"); return false; } return true; } }; using var client = new HttpClient(handler); var response = await client.GetAsync(url); Console.WriteLine($"Status: {response.StatusCode}"); Console.WriteLine($"Protocol: {response.Version}"); }
| Branche | Min. TLS | Cipher Suites | Besonderheit |
|---|---|---|---|
| PCI-DSS | TLS 1.2+ | Starke Ciphers | Jährliche Prüfung |
| HIPAA | TLS 1.2+ | AES-256 | Audit-Logging |
| BSI TR-02102 | TLS 1.2+ | BSI-konforme Suites | PFS Pflicht |
| Energie/SCADA | TLS 1.2+ | ICS-spezifisch | Langzeit-Support |
| Beziehung | Szenario | Beschreibung |
|---|---|---|
| Voraussetzung | 3.1 Server-Zertifikat | Cert erstellen |
| Nächster Schritt | 10.2 TLS-Client | Client konfigurieren |
| Erweiterung | 10.3 mTLS Deployment | Gegenseitige Auth |
« ← TLS-Übersicht | ↑ Szenarien | 10.2 TLS-Client → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional