LIBRELAMP SERVER STACK DOCUMENTATION A publication of Pipfrosch Press Alice Wonder (Editor and Author Pseudonym) May 27, 2019 Legal Stuff The instructions in this document and the software packages referred to provided AS IS NO WAR- RANTY WITH NO GUARANTEE OF FITNESS FOR USE. Use at your own risk, but I AM NOT LIABLE FOR ANY DAMAGE THAT RESULTS. That being said, if you do encounter a problem, please contact me and if I have the time, I may be able to help resolve the issue. No guarantees though. With the exception of the licenses that are included in Part III (page 38) and the UNIX man pages that are included in PartIV (page 74), this documentation is released under the terms of the GNU Free Document License (FDL) version 1.3. © 2019 Michael A. Peters Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and one Back-Cover Text: “Extensive amounts of blood, sweat, tears, and time went into the authoring of this manual. The author as of 2019 is living well below the poverty line. Please consider a financial contribution at https://www.paypal.me/pipfrosch.” (see page 112) A copy of the license is included in the section entitled “GNU Free Documentation License” on page 38. The man pages in PartIV have authorship and license information included at the end of each man page that is included. 1 The LATEX source files for this document are maintained at gitlab . The sections below refer to software included in LibreLAMP. 1. OpenSSL API This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/) 1https://gitlab.com/Pipfrosch/librelampdocumentation ii Legal Stuff This product includes cryptographic software written by Eric Young ([email protected]) A copy of the OpenSSL license is included in the section entitled “Dual OpenSSL and SSLeay License” on page 46. 2. Apache This product includes software including but not limited to the Apache Web Server that are licensed under the terms of the Apache 2.0 license. A copy of the Apache 2.0 license is included in the section entitled “Apache 2.0 License” on page 49. 3. MariaDB This product includes software including but not limited to the MariaDB database server that are licensed under the terms of the GNU General Public License (GPL) version 2.0. A copy of the GNU GPL 2.0 is included in the section entitled “GNU General Public License version 2.0” on page 54. This product includes software libraries including but not limited to the MariaDB C Client library that are licensed under the terms of the GNU Lesser General Public License (LGPL) version 2.1. A copy of the GNU LGPL 2.1 is included in the section entitled “GNU Lesser General Public License version 2.1” on page 62. 4. PHP This product includes PHP software, freely available from https://www.php.net/software/ PHP is licended under the terms of The PHP License, version 3.01. A copy of The PHP License, version 3.01 is included in the secton entitled “The PHP License, version 3.01” on page 71. iii Contents Legal Stuff ii 1. OpenSSL API..................................... ii 2. Apache........................................ iii 3. MariaDB....................................... iii 4. PHP.......................................... iii 1. Introduction1 1.1. Software Version Philosophy.............................2 1.2. FIPS Disclosure....................................3 1.3. TLS 1.3 Disclosure..................................3 1.4. System Libraries...................................4 1.5. GnuTLS........................................4 1.6. Mail Stack.......................................5 1.7. DNS Stack......................................5 1.8. Other Servers.....................................6 2. LibreLAMP Installation7 2.1. Enable EPEL.....................................7 2.2. Install HAVEGED (optional).............................7 2.3. Backup and Stop MariaDB..............................8 2.4. Install LibreLAMP..................................8 2.4.1. YUM Bug Note................................8 I. Apache Web Server 10 3. Basic Apache Setup and Configuration 11 3.1. Apache Install..................................... 11 3.2. IP Network Note................................... 11 3.3. Webmaster Account.................................. 12 3.4. OCSP Stapling.................................... 12 3.5. Create the Document Root.............................. 13 3.6. Virtual Host Configuration.............................. 14 3.6.1. Port 80 Redirects............................... 15 3.6.2. Port 443 Redirects.............................. 15 3.7. Live Server Virtual Host............................... 16 iv Contents 4. Apache and TLS (SSL) 18 4.1. Server Certificate................................... 18 4.1.1. Server Private Key Generation........................ 19 4.1.2. Server CSR Generation............................ 20 4.2. Cipher Suite Configuration.............................. 23 4.2.1. The Cipher Spec............................... 24 4.2.2. Key Exchange................................ 25 4.2.3. Cipher Choice................................ 27 4.2.4. Authenticated Encryption with Associated Data (AEAD).......... 28 4.2.5. Cipher Block Size.............................. 30 4.2.6. Alice’s Recommended Cipher Spec..................... 30 4.3. Strict Transport Security............................... 31 4.3.1. The max-age Parameter........................... 32 4.3.2. The Optional includeSubdomains Parameter.............. 32 4.3.3. The Optional preload Parameter...................... 32 4.4. TLDR Nutshell Bullet List.............................. 33 II. General Appendices 34 A. 128-bit Block Ciphers 35 III. Licenses 37 GNU Free Documentation License 38 1. APPLICABILITY AND DEFINITIONS........................ 38 2. VERBATIM COPYING................................. 40 3. COPYING IN QUANTITY............................... 40 4. MODIFICATIONS.................................... 40 5. COMBINING DOCUMENTS.............................. 42 6. COLLECTIONS OF DOCUMENTS.......................... 43 7. AGGREGATION WITH INDEPENDENT WORKS.................. 43 8. TRANSLATION..................................... 43 9. TERMINATION..................................... 44 10. FUTURE REVISIONS OF THIS LICENSE...................... 44 11. RELICENSING..................................... 44 ADDENDUM: How to use this License for your documents............... 45 Dual OpenSSL and SSLeay License 46 LICENSE ISSUES..................................... 46 OpenSSL License...................................... 46 v Contents Original SSLeay License.................................. 47 Apache 2.0 License 49 1. Definitions........................................ 49 2. Grant of Copyright License............................... 50 3. Grant of Patent License................................. 50 4. Redistribution...................................... 50 5. Submission of Contributions............................... 51 6. Trademarks........................................ 51 7. Disclaimer of Warranty.................................. 52 8. Limitation of Liability.................................. 52 9. Accepting Warranty or Additional Liability....................... 52 APPENDIX: How to apply the Apache License to your work............... 53 GNU General Public License version 2.0 54 Terms and Conditions For Copying, Distribution and Modification............ 55 Appendix: How to Apply These Terms to Your New Programs.............. 60 GNU Lesser General Public License version 2.1 62 Terms and Conditions For Copying, Distribution and Modification............ 63 How to Apply These Terms to Your New Libraries.................... 70 The PHP License, version 3.01 71 IV. Man Pages 73 B. LibreSSL configuration files 75 B.1. DESCRIPTION.................................... 75 B.2. OPENSSL LIBRARY CONFIGURATION..................... 76 B.2.1. ASN1 Object Configuration Module..................... 76 B.2.2. Engine Configuration Module........................ 77 B.3. FILES......................................... 78 B.4. EXAMPLES..................................... 78 B.5. SEE ALSO...................................... 80 B.6. CAVEATS....................................... 80 B.7. BUGS......................................... 81 B.8. Man Page Notes and Legal.............................. 81 C. X.509 V3 certificate extension configuration format 83 C.1. DESCRIPTION.................................... 83 C.2. STANDARD EXTENSIONS............................. 84 C.2.1. Basic constraints............................... 84 vi Contents C.2.2. Key usage................................... 84 C.2.3. Extended key usage.............................. 84 C.2.4. Subject key identifier............................. 85 C.2.5. Authority key identifier............................ 85 C.2.6. Subject alternative name........................... 86 C.2.7. Issuer alternative name............................ 86 C.2.8. Authority info access............................. 87 C.2.9. CRL distribution points............................ 87 C.2.10. Issuing distribution point........................... 88 C.2.11. Certificate policies.............................. 88 C.2.12. Policy constraints............................... 89 C.2.13. Inhibit any policy............................... 90 C.2.14. Name constraints............................... 90 C.2.15. OCSP no check...............................