Posts Tagged openssl

http/2.0 sslciphersuites with 256 bit alias crypto wars part five A+ at SSL Test

At Qualys SLL Test labs tests I never had 100% for Key Exchange. Even adding a 4096 Diffie Hellman key did not do the trick.

Now I found adding

SSLOpenSSLConfCmd ECDHParameters secp384r1

to the config from Part 4 does the trick!

Now I can have all your bars on Qualys SSL Test at 100% without having an insane config no client can connect to.

Tags: , , , , , ,

http/2.0 sslciphersuites with 256 bit alias crypto wars part four

To get rid of 128 bit encryption I had to disable

ECDHE-RSA-AES128-GCM-SHA256

But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA

With a lof of trial and error I came to the following

Listen 443
<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256 

However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.

Tags: , , ,

apache HTTP Strict Transport Security with long duration

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
How to achieve apache with a bullet proof SSL config and HTTP Strict Transport Security (HSTS) with long duration
Here is goes

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains"
</IfModule>
SSLUseStapling on
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

This gives a A+ at Qualys SSL Labs SSL Test.

Tags: ,

Apache defend CRIME Attack TLS / SSL

SSL Tests like https://www.ssllabs.com/ssltest/index.html show a vulnerability against CRIME Attack. To overcome / defend that with apache you can turn off the SSL compression.

SSLCompression off

That makes it easy to defend it.

Tags: , , , ,

Upgrading OpenSSL on Debian 6 (squeeze) or Ubuntu 8.04 (hardy)

The Problem on the long term ubuntu 8.04 and the current stable debian is that they ship the old OpenSSL 0.9.8o With that I wasn’t able to compile the new apache 2.4.1 with all the SSL features I want. Downloading the OpenSSL source and just configure make make install didn’t help at all.

checking whether to enable mod_ssl... checking dependencies 
 checking for OpenSSL... checking for user-provided OpenSSL base directory... none 
 checking for OpenSSL version >= 0.9.7... FAILED 
 configure: WARNING: OpenSSL version is too old 
 no 
 checking whether to enable mod_ssl... configure: error: mod_ssl has been requested but can not be built due to prerequisite failures 
 mario@h2020668:~/apache24/httpd-2.4.1$ openssl version 
 OpenSSL 0.9.8o 01 Jun 2010

The only thing that helped was to use the unix config script plus the right prefix plus the shared option

wget http://openssl.org/source/openssl-1.0.1.tar.gz 
 tar xfz openssl-1.0.1.tar.gz 
 cd openssl-* 
 ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared 
 make 
 sudo make install

 

Debian is very fine, but sometimes it sucks because of the lag of new software versions

Tags: , , , ,

SSH Tunnel Bypassing Transparent proxy using apache

A feature of the apache webserver is that it allows to to create a SSH connection through a transparent proxy / firewall. This is a stealth technic so no one will see it even in a large company network. Only IPoAC is able to interference this.

If you have internet access to port 80 (http) or 443 (https) you can establish a SSH connection to one of that ports. Proxys want the users to surf the web. most of the proxyes will only let their users through the paths they know safe (or whatever filtering their administrators may have set). In the best scenario, the proxy will not allow one particular HTTP method called CONNECT. This method is the one used for SSL / TLS protocol. It establishes a tunneled connection between the client and a remote server, through the proxy server. Since it is used by SSL / TLS, some proxys will let the CONNECT method free to certain sites, and most probably only on port 443.

Apache plus mod_proxy module will let us set up an HTTP server listening on port 80, and at the very same time an HTTP proxy. The proxying part is done by mod_proxy. This module turns Apache into a fully functional HTTP forward-proxy and reverse-proxy. the exciting feature of mod_proxy is its ability to handle the CONNECT method. It will even handle it if the transparent proxy, at the boundaries of our enterprise network, does not allow the CONNECT method. This, because we will talk GET and POST with Apache, the CONNECT thing happens inside Apache, and outside of the control of the enterprise proxy. The end result: we can use the CONNECT method.

Client side

  • SSH Client
  • Proxyclient

server side

  • apache webserver 2.x

This is an example virtual host configuration which I used for testing this implementation.

<VirtualHost *:80>
ServerName proxy.mydomain.com
ProxyRequests On
AllowCONNECT 22

<Proxy *>
Order deny,allow
Deny from all
</Proxy>

<ProxyMatch (host1|host2)\.mydomain\.com>
Order deny,allow
Deny from all
#Now we allow only our IP to access. Note that this IP must be the  public IP address of the enterprise proxy:
Allow from 222.22.22.100
</ProxyMatch>

# This directive enables DNS lookups so that host names can be logged. The  value Double refers to doing double reverse DNS lookup.
#That is, after a  reverse lookup is performed, a forward lookup is then performed on that  result. At least one of the IP addresses in the forward lookup must  match the original address. It is paranoid but is a good security  measure

HostnameLookups Double

ErrorLog /var/log/apache2/proxy.error.log
CustomLog /var/log/apache2/proxy.access.log common
</VirtualHost>

And now, the final step: configure our browser to use 127.0.0.1 on port 8080 as proxy. Finally we can login to our SSH server and try pointing our browser to any website we know blocked by the enterprise transparent proxy!

I know I left the part setting up apache and proxy, but this isn’t a tutorial for noobs ;-)

This is the BEST part of using Apache. You can set it up as normal web server, serving some webpage. This way whoever point to mydomain.com will see a normal and harmless website, and won’t be able to distiguish it from a non-proxying server.

Tags: , , , , , ,

reverse proxy for utorrent

Using the web UI for utorrent is a fine thing. But the webserver from utorrent is not secure. So it is recommend to use apache as reverse proxy. I tried to change the url, but I wasn’t successful.

Here the set up of cause inside a vhost.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so

ProxyPass /gui/ http://localhost/gui/
ProxyPassReverse /gui/ http://localhost/gui/

Tags: , , , , , , ,

compile zlib 1.2.4 on 64 bit Windows command line

nmake -f win32\Makefile.msc

Tags: , , , , , , ,

Archives by Subject:

Archives by Month: