http/2.0 sslciphersuites with 256 bit alias crypto wars part six meeting HIPPA

The chosen SSL Config was very good! But for I client I had to meet the specs from PCI DSS[1], HIPAA[2] and NIST[3].
The server already was PCI DSS ready. However since there are medical data it had to meet HIPAA too.

It turned out that HIPAA does not allow the nice CHACHA20-POLY1305 ciphers and I had to enable SSLStaplingCache that I turned of when I used StartSSL Certs cause of the timeout / outage from the response server from start ssl.

<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On

I still get an A+ on ssllabs plus all green lights on htbridge ssl test.

[1] Payment Card Industry Data Security Standard
[2] Health Insurance Portability and Accountability Act
[3] National Institute of Standards and Technology

Access Controller for Apache 2.2 and 2.4 in one. Migrate httpd Apache config

Even though Apache 2.4 is available for a long time. Switching config might be easy on the config files itself. But inside code it can be harder, since that code might has to work on both versions. Developers often use .htaccess files. That is not recommended for performance, but a quick easy way for testing and development.
One solution is to use a .htaccess file that supports both versions.

<IfVersion < 2.4>
    order allow,deny
    deny from all
</IfVersion>
<IfVersion >= 2.4>
    Require all denied
</IfVersion>

http/2.0 sslciphersuites with 256 bit alias crypto wars part five A+ at SSL Test

At Qualys SLL Test labs tests I never had 100% for Key Exchange. Even adding a 4096 Diffie Hellman key did not do the trick.

Now I found adding

SSLOpenSSLConfCmd ECDHParameters secp384r1

to the config from Part 4 does the trick!

Now I can have all your bars on Qualys SSL Test at 100% without having an insane config no client can connect to.

Office 365 get users last password change

This requires admin access to Azure / Office 365

Import-Module MSOnline

$login = Get-Credential
Connect-MsolService -Credential $login

Get-MSOLUser -All | Select DisplayName, UserPrincipalName, LastPasswordChangeTimestamp, PasswordNeverExpires | Sort-Object LastPasswordChangeTimestamp

Note You must have the PowerShell Azure Active Directory (MSOL) Cmdlets installed for this script to work.  You can download them here:

https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx?f=255&MSPPError=-2147217396

Fun with windows subsystem for linux Part 2

After upgrading Windows with the creators update I was able to do a sudo do-release-upgrade Now running xenial on windows subsystem for linux. Microsoft has improved a lot of things on bash on ubuntu on windows. I am now able to run PHP-cgi over mod_fcgid.

Maybe I should do a benchmarking to see how apache is performing compared to plain / native windows apache binaries.

Fun with windows subsystem for linux

After the install and the required reboot I was able to start bash. At first I was confused where to find the files from the home directory. It isn’t the one from windows itself.
Well I found it in AppData\Local\lxss . So each user has his / her own files.

Since I was able to find most stuff I wanted to know if I am able to compile httpd apache on it. I cloned https://github.com/jblond/debian_build_apache24.git and the build went smooth.
But apache didn’t start. Adding AcceptFilter http none and AcceptFilter https none helped. To get rid of the first error messages. But still apache wasn’t starting. Got the following error message.

[Tue Jan 24 22:31:33.590385 2017] [fcgid:emerg] [pid 1289:tid 140034843477824] (38)Function not implemented: mod_fcgid: Can't create shared memory for size 1200712 bytes

Okay, I disabled mod_fcgid and apache starts with /opt/apache2/bin/httpd -k start . Even running bash.exe ~ as Adminstrator did not solve to run fcgid.
I have to find out how to run mod_fcgid. I like to run PHP over fcgid.

http/2.0 sslciphersuites with 256 bit alias crypto wars part four

To get rid of 128 bit encryption I had to disable

ECDHE-RSA-AES128-GCM-SHA256

But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA

With a lof of trial and error I came to the following

Listen 443
<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256 

However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.

How to change the timzone of all mailboxes / accounts in AzureAD

How to change the timzone of all mailboxes / accounts in AzureAD

run PowerShell as Adminsitrator (use this window for all steps)
1) Allow remote signed Scripts

Set-ExecutionPolicy RemoteSigned

2) Log into AzureAD with an Adminsitrator account

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication Basic -AllowRedirection

3) Import remote commands (ignore warnings)

Import-PSSession $session

4) get all mail boxes

get-mailbox

5) Set the timezone ( you could set the language, too)

example
get-mailbox | Set-MailboxRegionalConfiguration -Language  -TimeZone

In the Example below we will set all mailboxes in our Office 365 Tenant to the Language English (UK) and the GMT Time Zone.

get-mailbox | Set-MailboxRegionalConfiguration -Language 2057 -TimeZone "GMT Standard Time"

Get only the aliases with

select -expand emailaddresses alias

Final To German Timezone

get-mailbox | select -expand Alias | Set-MailboxRegionalConfiguration -TimeZone "W. Europe Standard Time"
Get-User | Get-Mailbox

The Language ID is a number that corresponds to the correct language type. The following table shows you which number corresponds to which language.
Language (Locale)     Code
Arabic (Algeria)     5121
Arabic (Bahrain)     15361
Arabic (Egypt)     3073
Arabic (Iraq)     2049
Arabic (Jordan)     11265
Arabic (Kuwait)     13313
Arabic (Lebanon)     12289
Arabic (Libya)     4097
Arabic (Morocco)     6145
Arabic (Oman)     8193
Arabic (Qatar)     16385
Arabic (Saudi Arabia)     1025
Arabic (Syria)     10241
Arabic (Tunisia)     7169
Arabic (U.A.E.)     14337
Arabic (Yemen)     9217
Basque     1069
Bulgarian     1026
Catalan     1027
Chinese (Hong Kong S.A.R)     3076
Chinese (Macau S.A.R)     5124
Chinese (People’s Republic of China)     2052
Chinese (Singapore)     4100
Chinese (Taiwan)     1028
Croatian     1050
Czech     1029
Danish     1030
Dutch (Belgium)     2067
Dutch (Netherlands)     1043
English (Australia)     3081
English (Belize)     10249
English (Canada)     4105
English (Caribbean)     9225
English (Ireland)     6153
English (Jamaica)     8201
English (New Zealand)     5129
English (Republic of the Philippines)     13321
English (South Africa)     7177
English (Trinidad)     11273
English (United Kingdom)     2057
English (United States)     1033
English (Zimbabwe)     12297
Estonian     1061
Filipino (Philippines)     1124
Finnish     1035
French (Belgium)     2060
French (Canada)     3084
French (France)     1036
French (Luxembourg)     5132
French (Principality of Monaco)     6156
French (Switzerland)     4108
German (Austria)     3079
German (Germany)     1031
German (Liechtenstein)     5127
German (Luxembourg)     4103
German (Switzerland)     2055
Greek     1032
Hebrew     1037
Hindi     1081
Hungarian     1038
Icelandic     1039
Indonesian     1057
Italian (Italy)     1040
Italian (Switzerland)     2064
Japanese     1041
Kazakh     1087
Korean     1042
Latvian     1062
Lithuanian     1063
Malay     1086
Norwegian (Bokmål)     1044
Persian     1065
Polish     1045
Portuguese (Brazil)     1046
Portuguese (Portugal)     2070
Romanian     1048
Russian     1049
Serbian (Cyrillic)     3098
Serbian (Latin)     2074
Slovak     1051
Slovenian     1060
Spanish (Argentina)     11274
Spanish (Bolivia)     16394
Spanish (Chile)     13322
Spanish (Colombia)     9226
Spanish (Costa Rica)     5130
Spanish (Dominican Republic)     7178
Spanish (Ecuador)     12298
Spanish (El Salvador)     17418
Spanish (Guatemala)     4106
Spanish (Honduras)     18442
Spanish (Mexico)     2058
Spanish (Nicaragua)     19466
Spanish (Panama)     6154
Spanish (Paraguay)     15370
Spanish (Peru)     10250
Spanish (Puerto Rico)     20490
Spanish (International Sort)     3082
Spanish (Traditional Sort)     1034
Spanish (Uruguay)     14346
Spanish (Venezuela)     8202
Swedish (Finland)     2077
Swedish (Sweden)     1053
Thai     1054
Turkish     1055
Ukrainian     1058
Urdu     1056
Vietnamese     1066

The TimeZone consists of a String representing the time zone.  Use the value from the middle column of the table below:

Index     Name of Time Zone     Time
000     Dateline Standard Time     (GMT-12:00) International Date Line West
001     Samoa Standard Time     (GMT-11:00) Midway Island, Samoa
002     Hawaiian Standard Time     (GMT-10:00) Hawaii
003     Alaskan Standard Time     (GMT-09:00) Alaska
004     Pacific Standard Time     (GMT-08:00) Pacific Time (US and Canada); Tijuana
010     Mountain Standard Time     (GMT-07:00) Mountain Time (US and Canada)
013     Mexico Standard Time 2     (GMT-07:00) Chihuahua, La Paz, Mazatlan
015     U.S. Mountain Standard Time     (GMT-07:00) Arizona
020     Central Standard Time     (GMT-06:00) Central Time (US and Canada
025     Canada Central Standard Time     (GMT-06:00) Saskatchewan
030     Mexico Standard Time     (GMT-06:00) Guadalajara, Mexico City, Monterrey
033     Central America Standard Time     (GMT-06:00) Central America
035     Eastern Standard Time     (GMT-05:00) Eastern Time (US and Canada)
040     U.S. Eastern Standard Time     (GMT-05:00) Indiana (East)
045     S.A. Pacific Standard Time     (GMT-05:00) Bogota, Lima, Quito
050     Atlantic Standard Time     (GMT-04:00) Atlantic Time (Canada)
055     S.A. Western Standard Time     (GMT-04:00) Caracas, La Paz
056     Pacific S.A. Standard Time     (GMT-04:00) Santiago
060     Newfoundland and Labrador Standard Time     (GMT-03:30) Newfoundland and Labrador
065     E. South America Standard Time     (GMT-03:00) Brasilia
070     S.A. Eastern Standard Time     (GMT-03:00) Buenos Aires, Georgetown
073     Greenland Standard Time     (GMT-03:00) Greenland
075     Mid-Atlantic Standard Time     (GMT-02:00) Mid-Atlantic
080     Azores Standard Time     (GMT-01:00) Azores
083     Cape Verde Standard Time     (GMT-01:00) Cape Verde Islands
085     GMT Standard Time     (GMT) Greenwich Mean Time: Dublin, Edinburgh, Lisbon, London
090     Greenwich Standard Time     (GMT) Casablanca, Monrovia
095     Central Europe Standard Time     (GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
100     Central European Standard Time     (GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb
105     Romance Standard Time     (GMT+01:00) Brussels, Copenhagen, Madrid, Paris
110     W. Europe Standard Time     (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
113     W. Central Africa Standard Time     (GMT+01:00) West Central Africa
115     E. Europe Standard Time     (GMT+02:00) Bucharest
120     Egypt Standard Time     (GMT+02:00) Cairo
125     FLE Standard Time     (GMT+02:00) Helsinki, Kiev, Riga, Sofia, Tallinn, Vilnius
130     GTB Standard Time     (GMT+02:00) Athens, Istanbul, Minsk
135     Israel Standard Time     (GMT+02:00) Jerusalem
140     South Africa Standard Time     (GMT+02:00) Harare, Pretoria
145     Russian Standard Time     (GMT+03:00) Moscow, St. Petersburg, Volgograd
150     Arab Standard Time     (GMT+03:00) Kuwait, Riyadh
155     E. Africa Standard Time     (GMT+03:00) Nairobi
158     Arabic Standard Time     (GMT+03:00) Baghdad
160     Iran Standard Time     (GMT+03:30) Tehran
165     Arabian Standard Time     (GMT+04:00) Abu Dhabi, Muscat
170     Caucasus Standard Time     (GMT+04:00) Baku, Tbilisi, Yerevan
175     Transitional Islamic State of Afghanistan Standard Time     (GMT+04:30) Kabul
180     Ekaterinburg Standard Time     (GMT+05:00) Ekaterinburg
185     West Asia Standard Time     (GMT+05:00) Islamabad, Karachi, Tashkent
190     India Standard Time     (GMT+05:30) Chennai, Kolkata, Mumbai, New Delhi
193     Nepal Standard Time     (GMT+05:45) Kathmandu
195     Central Asia Standard Time     (GMT+06:00) Astana, Dhaka
200     Sri Lanka Standard Time     (GMT+06:00) Sri Jayawardenepura
201     N. Central Asia Standard Time     (GMT+06:00) Almaty, Novosibirsk
203     Myanmar Standard Time     (GMT+06:30) Yangon Rangoon
205     S.E. Asia Standard Time     (GMT+07:00) Bangkok, Hanoi, Jakarta
207     North Asia Standard Time     (GMT+07:00) Krasnoyarsk
210     China Standard Time     (GMT+08:00) Beijing, Chongqing, Hong Kong SAR, Urumqi
215     Singapore Standard Time     (GMT+08:00) Kuala Lumpur, Singapore
220     Taipei Standard Time     (GMT+08:00) Taipei
225     W. Australia Standard Time     (GMT+08:00) Perth
227     North Asia East Standard Time     (GMT+08:00) Irkutsk, Ulaanbaatar
230     Korea Standard Time     (GMT+09:00) Seoul
235     Tokyo Standard Time     (GMT+09:00) Osaka, Sapporo, Tokyo
240     Yakutsk Standard Time     (GMT+09:00) Yakutsk
245     A.U.S. Central Standard Time     (GMT+09:30) Darwin
250     Cen. Australia Standard Time     (GMT+09:30) Adelaide
255     A.U.S. Eastern Standard Time     (GMT+10:00) Canberra, Melbourne, Sydney
260     E. Australia Standard Time     (GMT+10:00) Brisbane
265     Tasmania Standard Time     (GMT+10:00) Hobart
270     Vladivostok Standard Time     (GMT+10:00) Vladivostok
275     West Pacific Standard Time     (GMT+10:00) Guam, Port Moresby
280     Central Pacific Standard Time     (GMT+11:00) Magadan, Solomon Islands, New Caledonia
285     Fiji Islands Standard Time     (GMT+12:00) Fiji Islands, Kamchatka, Marshall Islands
290     New Zealand Standard Time     (GMT+12:00) Auckland, Wellington
300     Tonga Standard Time     (GMT+13:00) Nuku’alofa