http/2.0 sslciphersuites with 256 bit alias crypto wars part four

To get rid of 128 bit encryption I had to disable

ECDHE-RSA-AES128-GCM-SHA256

But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA

With a lof of trial and error I came to the following

Listen 443
<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256 

However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.

Tags: , , ,

How to change the timzone of all mailboxes / accounts in AzureAD

How to change the timzone of all mailboxes / accounts in AzureAD

run PowerShell as Adminsitrator (use this window for all steps)
1) Allow remote signed Scripts

Set-ExecutionPolicy RemoteSigned

2) Log into AzureAD with an Adminsitrator account

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication Basic -AllowRedirection

3) Import remote commands (ignore warnings)

Import-PSSession $session

4) get all mail boxes

get-mailbox

5) Set the timezone ( you could set the language, too)

example
get-mailbox | Set-MailboxRegionalConfiguration -Language  -TimeZone

The Language ID is a number that corresponds to the correct language type. The following table shows you which number corresponds to which language.
Language (Locale)     Code
Arabic (Algeria)     5121
Arabic (Bahrain)     15361
Arabic (Egypt)     3073
Arabic (Iraq)     2049
Arabic (Jordan)     11265
Arabic (Kuwait)     13313
Arabic (Lebanon)     12289
Arabic (Libya)     4097
Arabic (Morocco)     6145
Arabic (Oman)     8193
Arabic (Qatar)     16385
Arabic (Saudi Arabia)     1025
Arabic (Syria)     10241
Arabic (Tunisia)     7169
Arabic (U.A.E.)     14337
Arabic (Yemen)     9217
Basque     1069
Bulgarian     1026
Catalan     1027
Chinese (Hong Kong S.A.R)     3076
Chinese (Macau S.A.R)     5124
Chinese (People’s Republic of China)     2052
Chinese (Singapore)     4100
Chinese (Taiwan)     1028
Croatian     1050
Czech     1029
Danish     1030
Dutch (Belgium)     2067
Dutch (Netherlands)     1043
English (Australia)     3081
English (Belize)     10249
English (Canada)     4105
English (Caribbean)     9225
English (Ireland)     6153
English (Jamaica)     8201
English (New Zealand)     5129
English (Republic of the Philippines)     13321
English (South Africa)     7177
English (Trinidad)     11273
English (United Kingdom)     2057
English (United States)     1033
English (Zimbabwe)     12297
Estonian     1061
Filipino (Philippines)     1124
Finnish     1035
French (Belgium)     2060
French (Canada)     3084
French (France)     1036
French (Luxembourg)     5132
French (Principality of Monaco)     6156
French (Switzerland)     4108
German (Austria)     3079
German (Germany)     1031
German (Liechtenstein)     5127
German (Luxembourg)     4103
German (Switzerland)     2055
Greek     1032
Hebrew     1037
Hindi     1081
Hungarian     1038
Icelandic     1039
Indonesian     1057
Italian (Italy)     1040
Italian (Switzerland)     2064
Japanese     1041
Kazakh     1087
Korean     1042
Latvian     1062
Lithuanian     1063
Malay     1086
Norwegian (Bokmål)     1044
Persian     1065
Polish     1045
Portuguese (Brazil)     1046
Portuguese (Portugal)     2070
Romanian     1048
Russian     1049
Serbian (Cyrillic)     3098
Serbian (Latin)     2074
Slovak     1051
Slovenian     1060
Spanish (Argentina)     11274
Spanish (Bolivia)     16394
Spanish (Chile)     13322
Spanish (Colombia)     9226
Spanish (Costa Rica)     5130
Spanish (Dominican Republic)     7178
Spanish (Ecuador)     12298
Spanish (El Salvador)     17418
Spanish (Guatemala)     4106
Spanish (Honduras)     18442
Spanish (Mexico)     2058
Spanish (Nicaragua)     19466
Spanish (Panama)     6154
Spanish (Paraguay)     15370
Spanish (Peru)     10250
Spanish (Puerto Rico)     20490
Spanish (International Sort)     3082
Spanish (Traditional Sort)     1034
Spanish (Uruguay)     14346
Spanish (Venezuela)     8202
Swedish (Finland)     2077
Swedish (Sweden)     1053
Thai     1054
Turkish     1055
Ukrainian     1058
Urdu     1056
Vietnamese     1066

The TimeZone consists of a String representing the time zone.  Use the value from the middle column of the table below:

Index     Name of Time Zone     Time
000     Dateline Standard Time     (GMT-12:00) International Date Line West
001     Samoa Standard Time     (GMT-11:00) Midway Island, Samoa
002     Hawaiian Standard Time     (GMT-10:00) Hawaii
003     Alaskan Standard Time     (GMT-09:00) Alaska
004     Pacific Standard Time     (GMT-08:00) Pacific Time (US and Canada); Tijuana
010     Mountain Standard Time     (GMT-07:00) Mountain Time (US and Canada)
013     Mexico Standard Time 2     (GMT-07:00) Chihuahua, La Paz, Mazatlan
015     U.S. Mountain Standard Time     (GMT-07:00) Arizona
020     Central Standard Time     (GMT-06:00) Central Time (US and Canada
025     Canada Central Standard Time     (GMT-06:00) Saskatchewan
030     Mexico Standard Time     (GMT-06:00) Guadalajara, Mexico City, Monterrey
033     Central America Standard Time     (GMT-06:00) Central America
035     Eastern Standard Time     (GMT-05:00) Eastern Time (US and Canada)
040     U.S. Eastern Standard Time     (GMT-05:00) Indiana (East)
045     S.A. Pacific Standard Time     (GMT-05:00) Bogota, Lima, Quito
050     Atlantic Standard Time     (GMT-04:00) Atlantic Time (Canada)
055     S.A. Western Standard Time     (GMT-04:00) Caracas, La Paz
056     Pacific S.A. Standard Time     (GMT-04:00) Santiago
060     Newfoundland and Labrador Standard Time     (GMT-03:30) Newfoundland and Labrador
065     E. South America Standard Time     (GMT-03:00) Brasilia
070     S.A. Eastern Standard Time     (GMT-03:00) Buenos Aires, Georgetown
073     Greenland Standard Time     (GMT-03:00) Greenland
075     Mid-Atlantic Standard Time     (GMT-02:00) Mid-Atlantic
080     Azores Standard Time     (GMT-01:00) Azores
083     Cape Verde Standard Time     (GMT-01:00) Cape Verde Islands
085     GMT Standard Time     (GMT) Greenwich Mean Time: Dublin, Edinburgh, Lisbon, London
090     Greenwich Standard Time     (GMT) Casablanca, Monrovia
095     Central Europe Standard Time     (GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
100     Central European Standard Time     (GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb
105     Romance Standard Time     (GMT+01:00) Brussels, Copenhagen, Madrid, Paris
110     W. Europe Standard Time     (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
113     W. Central Africa Standard Time     (GMT+01:00) West Central Africa
115     E. Europe Standard Time     (GMT+02:00) Bucharest
120     Egypt Standard Time     (GMT+02:00) Cairo
125     FLE Standard Time     (GMT+02:00) Helsinki, Kiev, Riga, Sofia, Tallinn, Vilnius
130     GTB Standard Time     (GMT+02:00) Athens, Istanbul, Minsk
135     Israel Standard Time     (GMT+02:00) Jerusalem
140     South Africa Standard Time     (GMT+02:00) Harare, Pretoria
145     Russian Standard Time     (GMT+03:00) Moscow, St. Petersburg, Volgograd
150     Arab Standard Time     (GMT+03:00) Kuwait, Riyadh
155     E. Africa Standard Time     (GMT+03:00) Nairobi
158     Arabic Standard Time     (GMT+03:00) Baghdad
160     Iran Standard Time     (GMT+03:30) Tehran
165     Arabian Standard Time     (GMT+04:00) Abu Dhabi, Muscat
170     Caucasus Standard Time     (GMT+04:00) Baku, Tbilisi, Yerevan
175     Transitional Islamic State of Afghanistan Standard Time     (GMT+04:30) Kabul
180     Ekaterinburg Standard Time     (GMT+05:00) Ekaterinburg
185     West Asia Standard Time     (GMT+05:00) Islamabad, Karachi, Tashkent
190     India Standard Time     (GMT+05:30) Chennai, Kolkata, Mumbai, New Delhi
193     Nepal Standard Time     (GMT+05:45) Kathmandu
195     Central Asia Standard Time     (GMT+06:00) Astana, Dhaka
200     Sri Lanka Standard Time     (GMT+06:00) Sri Jayawardenepura
201     N. Central Asia Standard Time     (GMT+06:00) Almaty, Novosibirsk
203     Myanmar Standard Time     (GMT+06:30) Yangon Rangoon
205     S.E. Asia Standard Time     (GMT+07:00) Bangkok, Hanoi, Jakarta
207     North Asia Standard Time     (GMT+07:00) Krasnoyarsk
210     China Standard Time     (GMT+08:00) Beijing, Chongqing, Hong Kong SAR, Urumqi
215     Singapore Standard Time     (GMT+08:00) Kuala Lumpur, Singapore
220     Taipei Standard Time     (GMT+08:00) Taipei
225     W. Australia Standard Time     (GMT+08:00) Perth
227     North Asia East Standard Time     (GMT+08:00) Irkutsk, Ulaanbaatar
230     Korea Standard Time     (GMT+09:00) Seoul
235     Tokyo Standard Time     (GMT+09:00) Osaka, Sapporo, Tokyo
240     Yakutsk Standard Time     (GMT+09:00) Yakutsk
245     A.U.S. Central Standard Time     (GMT+09:30) Darwin
250     Cen. Australia Standard Time     (GMT+09:30) Adelaide
255     A.U.S. Eastern Standard Time     (GMT+10:00) Canberra, Melbourne, Sydney
260     E. Australia Standard Time     (GMT+10:00) Brisbane
265     Tasmania Standard Time     (GMT+10:00) Hobart
270     Vladivostok Standard Time     (GMT+10:00) Vladivostok
275     West Pacific Standard Time     (GMT+10:00) Guam, Port Moresby
280     Central Pacific Standard Time     (GMT+11:00) Magadan, Solomon Islands, New Caledonia
285     Fiji Islands Standard Time     (GMT+12:00) Fiji Islands, Kamchatka, Marshall Islands
290     New Zealand Standard Time     (GMT+12:00) Auckland, Wellington
300     Tonga Standard Time     (GMT+13:00) Nuku’alofa

In the Example below we will set all mailboxes in our Office 365 Tenant to the Language English (UK) and the GMT Time Zone.

get-mailbox | Set-MailboxRegionalConfiguration -Language 2057 -TimeZone "GMT Standard Time"

Get only the aliases with

select -expand emailaddresses alias

Final To German Timezone

get-mailbox | select -expand Alias | Set-MailboxRegionalConfiguration -TimeZone "W. Europe Standard Time"
Get-User | Get-Mailbox

Tags: , , , , ,

Things to know about nano editor

Open nano with

nano -wcF

ALT + G = Goto Line Number
CTRL + R = Insert File
CTRL + W = Search String or by RegEx
ALT + R = Replace string or Replace by RegEx
ALT + , = Goto previous buffer
ALT + . Goto next Buffer

Windows Domain: what computer user is logged in

Open a PowerShell on the Domain Controller:

Get-WmiObject -computer localhost -class Win32_ServerConnection

Done

http/2.0 sslciphersuites alias crypto wars part three

It has been a while since I wrote part two of the crypto wars. Luckily Peter Mosmans has backported ChaCha20 and Poly1305 ciphers of OpenSSL 1.1.0 to 1.0.2 on github so that at least Chrome browser can use 256 bit encryption over HTTP/2

However on the httpd dev mailing list there are a few people already talking about making changes to APR and httpd so that it will compile with OpenSSL 1.1.0

The config for that is:

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 
SSLCompression Off 
SSLHonorCipherOrder On 
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

Why 256 bit? 128 bit hasn’t been cracked yet. The answer is that the collection of data and the data will decrypted when the time has come with a new generation of computers.

http/2.0 sslciphersuites alias crypto wars part two

With the upcoming mod_h2 the httpd apache module for HTTP/2.0 support there is a must to have ECDHE-RSA-AES128-GCM-SHA256 in the SSLCipherSuite[1]. So SSLHonorCipherOrder Off can’t be used. That leaves the connection with only 128 bit encryption instead of 256 bit.

My hope is that the browsers will support soon a 256 Cipher

 

[1] https://http2.github.io/http2-spec/#rfc.section.9.2.2

Apache 2.4 Disallow access to a certain location if a query string is set

Disallow access / require an IP to a certain location if a query string is set

 <LocationMatch ^/test.php>
        <If "%{QUERY_STRING} =~ /action=login/">
            Require ip 192.168.178.100
        </If>
    </LocationMatch>

http://localhost/test.php works for everyone.

http://localhost/test.php?action=login works only for the ip 192.168.178.100

The “new” Apache 2.4 is different if you compare it to the 2.2 version of things. But once you understand it, it makes things easier and more readable. With 2.2 you would have needed more lines and mod_rewrite to get that working. See also Apache 2.4.x Better than rewriting

SSLCipherSuite alias crypto wars

Choosing the correct SSL cipher can be very difficult. Having the best encryption, still fast, having a “Modern compatibility”.

 

The current best solustion is with all browsers to have 256 bit encryption ( Chrome is currently the only browser that uses only 128 bit with this config).
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

— Edit —

Chrome might barf about a not modern config, hoever the encryption is not 256 in all cases. That is why I switched back to

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

debian boots into uefi shell

Today one of my linux servers did not boot. Instead there was a grub uefi shell. Typing the help command listed a bunch of commands in dark blue on a dark grey. Not easy to read. Trying to use the gui did not solve the problem. Resetting the config did also not help. Some forum posts said to create a symlink to the efi file. My issue was that /boot/efi is a separate partion due btrfs on the my system.

What did work was using the command line to add the efi again.

bcfg boot add 0 fs0:\EFI\debian\grubx64.efi "Debian"

However writing in english mode on a german style keyboard is often “times of wonder”. Use # ( hash) for the backslash and ä for the quotes. I still wonder why I have to use a backslash on a linux system…

Tags: ,

You Know You’re a ChileHead if

  1. You don’t have to worry about your roommates stealing your food
  2. Your toilet paper spontaneously combusts after use
  3. You’re tired of people asking about those dried Thai peppers floating around in your breakfast cereal.
  4. More than half of the souvenirs from that last tropical vacation were hot sauces and spices
  5. You never go in to a food store without checking the price, or selection of hot peppers and hot sauces.
  6. The door of your refrigerator has more than ten bottles of hot sauce.
  7. The sissy salsa you made, accidentally, seems to set most of your coworkers on fire.
  8. “Ring of fire” and “burns twice” actually mean something to you.
  9. You have ever sent/received contraband Chile seeds from a foreign country
  10. you sweat, even in the middle of winter.
  11. You carry one of those little Tabasco bottles around with you. Just in case.
  12. When cooking, you often start sneezing. Just because.