Unable to negotiate with 1.2.3.4 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

While trying to connect to an older esxi server I got the error message Unable to negotiate with 1.2.3.4 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

I was wondering.

The solution $EDITOR ~/.ssh/config

Host 1.2.3.4
    User root
    HostKeyAlgorithms=+ssh-dss

http/2.0 sslciphersuites with 256 bit alias crypto wars part eight TLSv1.3

Now with the release of Apache 2.4.37 it supports TLSv1.3 (with OpenSSL 1.1.1). Before is was possible to compile Apache against OpenSSL 1.1.1 but it had no effect compared to OpenSSL 1.1.0

There are some advantages using TLS 1.3. it comes with Zero Round Trip Time (0-RTT). Explained simply, with TLS 1.2, two round-trips had been needed to complete the TLS handshake. With TLSv1.3, it requires only one round-trip, which in turn cuts the encryption latency in half. It feels faster.

At the moment only Chrome and Firefox support TLS 1.3. But I think other browser will follow soon.

This requires Apache 2.4.37 or better and OpenSSL 1.1.1 or better. Note that there are now two different directives for SSLCipherSuite. Also new is that the names for the Ciphers for TLS 1.3 are  directly taken from the OpenSSL internal naming. This is different compared to the old way in apache. Only two ciphers that are allowed for TLSv1.3 support 256 bit encryption that is why I chose those.

Listen 443
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

TraceEnable Off

SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd DHParameters "/opt/apache2/conf/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On

Sadly not OS Distributions support the last OpenSSL version or that TLv1.3 version has been backported or it has been patched, but apache shows still an older version number.

http/2.0 sslciphersuites with 256 bit alias crypto wars part four

To get rid of 128 bit encryption I had to disable

ECDHE-RSA-AES128-GCM-SHA256

But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA

With a lof of trial and error I came to the following

Listen 443
<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256 

However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.

PHP crypt command line

crypt

#!/usr/bin/php
< ?php
require "crypt.php";

$type = $argv['1'];
$string = $argv['2'];
$key = $argv['3'];
if($type !='' &&  $string != '' && $key != ''){
        if($type=="e"){
                echo encrypt($string,$key);
                echo "\n";
        }
        elseif($type=="d")
        {
                echo decrypt($string,$key);
                echo "\n";
        }
        else
        {
                die('WRONG TYPE');
        }
}
else
{
        echo 'crypt TYPE STRING KEY';
        echo "\n\n";
        echo "TYPE:\n";
        echo "e encrypt\n";
        echo "d decrypt\n";
        echo "\n\n";
        echo "STRING Your string\n";
        echo "KEY Crypt key\n\n";
}
?>

crypt.php

< ?php
/**
 * encrypt()
 *
 * @param mixed $string
 * @param mixed $key
 * @return mixed $retrun
 */
function encrypt($string, $key){

        $result = '';
        $lentgh = strlen($string);
        for($i = 0; $i < $lentgh; $i++) {
                $char = substr($string, $i, 1);
                $keychar = substr($key, ($i % strlen($key))-1, 1);
                $char = chr(ord($char) + ord($keychar));
                $result .= $char;
        }

        return base64_encode($result);
}

/**
 * decrypt()
 *
 * @param mixed $string
 * @param mixed $key
 * @return mixed $return
 */
function decrypt($string, $key){

        $result = '';
        $string = base64_decode($string);
        $lentgh = strlen($string);

        for($i = 0; $i < $lentgh; $i++) {
                $char = substr($string, $i, 1);
                $keychar = substr($key, ($i % strlen($key))-1, 1);
                $char = chr(ord($char) - ord($keychar));
                $result .= $char;
        }

        return $result;
}
?>

Posts Tagged encrypt

Archives by Month: