Obsolete key exchange mechanisms alias crypto wars part eleven

Posted on by mario

Obsolete key exchange mechanisms alias crypto wars part eleven

Especially weak key exchange mechanisms indicated by the cipher suite include those designated as EXPORT or ANON;  cipher suites using these key exchange mechanisms should not be used. Even if the cipher suite used in a TLS session is acceptable, a key exchange mechanism may use weak keys that allow exploitation. TLS key exchange methods include RSA key transport and DH or ECDH key establishment. DH and ECDH include static as well as ephemeral mechanisms. NSA recommends RSA key transport and ephemeral DH (DHE) or ECDH (ECDHE) mechanisms, with RSA or DHE key exchange using at least 3072-bit keys and ECDHE key exchanges using the secp384r1 elliptic curve. For RSA key transport and DH/DHE key exchange,  keys less than 2048 bits should not be used,  and ECDH/ECDHE using custom curves should not be used. The use of custom public key parameters in key exchange messages is deprecated per RFC 8422 Section 5.1.1

The recommended configuration is the following

Header always set Strict-Transport-Security "max-age=15553000; preload"
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1

H2Direct On

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256

The only difference is the behavior of auto escaping in twig

Posted on by mario

Imagine you have a var variable containing: <div>I'm happy</div>.

On index.twig, {{ var }} will render <div>I'm happy</div>.

On index.html.twig, {{ var }} will render &lt;div&gt;I&#039;m happy&lt;div&gt;

On index.js.twig, {{ var }} will render \x3Cdiv\x3EI\x27m\x20happy\x3Cdiv\x3E

And so on.

Always use the right extension to avoid any XSS vulnerability, and
always use |raw wisely because it overlaps this extension’s implicit protection.

Apache security headers

Posted on by mario

A good starting point for apache security headers

<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
    Header always set Feature-Policy "\
        geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; \
        magnetometer 'none'; accelerometer 'none'; vr 'none'; \
        speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; \
        microphone 'none'"
    Header always set Content-Security-Policy "\
        default-src 'self' 'unsafe-inline' data:;\
        font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
        script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>

Convert pfx certificate for apache

Posted on by mario

This is more or less a hint for me how to do it. Maybe it helps you, too.

openssl pkcs12 -in example.com.pfx -clcerts -nokeys -out example.com.crt
openssl pkcs12 -in example.com.pfx -nocerts -out example.com-encrypted.key
openssl rsa -in cert-encrypted.key -out example.com.key
openssl pkcs12 -in example.com.pfx -cacerts -nokeys -out ca-cert.ca

Then in the apache config

SSLCertificateFile certs/example.com.crt
SSLCACertificateFile certs/ca-cert.ca
SSLCertificateKeyFile certs/example.com.key

Marios’ version of Kimchi

Posted on by mario

This is my version of Kimchi. There are gazillion versions of Kimchi and this is mine.

Since I’m lazy and don’t want to browse a special Asian store, I changed some ingredients to fit what I can buy and have a similar result.

Paprika powder
Cayenne pepper powder
120g Salt
2 medium sized Onions
4 Garlic cloves
1 thumb sized piece Ginger
1 kg Chinese cabbage
1 tablespoon sugar
2 tablespoons Rice flour
1 small pot
1.5 Liter Jar mit a closing lit
1 Large bowl

Fill the bowl with2  Liters / 8 cups of water and mix  in the salt. Stir until the .salt is resolved
Cut the Chinese cabbage into 1 inch / 2.5 cm size big pieces. Put it into the bowl and leave it there for 3 to 4 hours.

Chop the onions, the garlic, and the ginger very fine.

The Marinade:

Put 250 ml / 1 cup of cold water into the pot. Stir in the rice flour and the sugar. Cook it for 5 minutes with constant stirring. Now let it cool. Add some paprika powder and the Cayenne pepper. Add as much until it fits your spice level. Add the chopped ingredients. Mix it well.

After the 3 to 4 hours drain the Chinese cabbage as much as possible. Add the marinade and mix it well with your hands. You might use gloves as it might be too spicy for your hand. Fill the jar with the result. Push it down so that no air bubbles are inside. Leave a space about an inch / 2.5 cm, otherwise the jar might explode or the juice will come ot of the jar. Close the lid. Let it stand in your kitchen or wherever, but keep it away from sunlight. Once a day open the lid and let the fermentation gases out of the jar. Push the Chinese cabbage down, that nothing is floating on the surface. After 3 days see if it is sour enough for you. You can wait up to 5 days. Now put the jar into a fridge. After 7 days in the fridge the Kimchi is ready to eat. Kimchi can be stored up to 3 month in the fridge. The fermentation process will continue in the fridge, but much slower.After you took out some of the kimchi to consume it, push the rest of it down into the jar. Never use a spoon or something that has your saliva on the to get something out of the jar, your kimchi would spoil very fast.

Influxdb 2.0 lessons learned

Posted on by mario

I played a bit with influxdb version 2.0.0, telegraf client and two of my raspberry pies.
On my oldest pi  a 1 B+ the telegraf client caused too much performance issues on that light weight single CPU and 480 MB of usable RAM. So I chose a simple bash script with curl to send the CPU temperature to influxdb.

#!/bin/bash
timestamp=$(date +%s)
temp=$(vcgencmd measure_temp)
curl -XPOST \
"https://flux.example.com/api/v2/write?org=none&bucket=pihole&precision=s" \
--header "Authorization: Token asas==" \
--data-raw "cpu-temperature,host=pihole ${temp//\'C/} ${timestamp}"

At first I was running influxdbd by hand. But I didn’t want the usual port of 9999 of the alpha version and I also wanted SSL encryption when I log into the backend. Pretty easy with the already running apache on that server.

<VirtualHost *:443>
	ServerName flux.example.com
	DocumentRoot /var/www/empty

	<Directory /var/www/empty>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	ProxyPass / http://localhost:9999/
	ProxyPassReverse / http://localhost:9999/

	SSLEngine on
	SSLCertificateFile  fullchain.pem
	SSLCertificateKeyFile privkey.pem
</VirtualHost>

so far so good. Starting the influxdb by hand after a reboot or failing isn’t an option.  So I created by on systemd service file

sudo $EDITOR /lib/systemd/system/influxdb2.service

[Unit]
Description=InfluxDB 2.0 service file.
Documentation=https://v2.docs.influxdata.com/v2.0/get-started/
After=network-online.target

[Service]
User=influx
Group=influx
ExecStart=/usr/local/bin/influxd
Restart=on-failure

[Install]
WantedBy=multi-user.target

Do not forget to enable it :D sudo systemctl enable influxdb2

 

So far I made one observation. The telegraf client is doing a lot of DNS requests through the network. If I’m not wrong it does it for every request. If you look at the graphic you see that the bottom a big blue line. That is the DNS requests from telegraf. At some point around 20:00 You see a drop. Well there I change the flush interval to 120 seconds. Later at round 7:30 I wrote the IP and host name into /etc/hosts and the “noise” was gone. That is something you maybe want to do in your devices, too to save some bandwidth and energy.

Zucchini sweet and sour

Posted on by mario

What you need:
paprika
salt
pepper
white Vinegar
sugar
crème fraiche (if not available use sour cream / heavy cream with at least 50% fat)

500g aka 1 pound minced meat.

1 red bell peper
1 Zucchini
1 white onion

——

Start with bell pepper, zucchini, white onion. Cut them into pieces of your choise.
Braise one after the other in a saucepan.
Season with salt, pepper, paprika, 2 – 3 tablespoons of vinegar and half a teaspoon of sugar. Peel off a 1/4 liter (one cup) of water and cook for 15 minutes with the lid on.

Fry 500g mince in a pan. Season with salt, pepper and paprika.

Then add the mince to the pot. Mix in one tablespoon of crème fraiche.

Traveling through time isn’t enough

Posted on by mario

Some people think traveling through time is easy. It might look that way. But they don’t consider that you need to travel space, too. Wait, why space, too?
Let’s start easy. If you want to meet me at work you need 4 dimension. You might think it is just an address, but it isn’t. The first dimension is the street. To make is easy the street goes from east to west in a straight line. Well the street is very long. In order to find me you need the house number. That is like drawing another line from north to south (second dimension). If you think that you are able to meet me yet, you are WRONG! I work in a skyscraper. You need to also the number of the have the number of the floor. Now you can meet me!? WRONG! You might show but at the correct place, but at the wrong time. You might be there in the night or during my lunch break. So you need also the fourth dimension the time.
When it comes to GPS navigation you need those information twice, because you need to know from where and when you are coming.

Now with time travel it is even worse. You are standing on the earth. It rotates with about ~ 464 m/s. If you try time traveling while visiting me, and miss the correct time only by a split second you might fall down a long way down from the height of the skyscraper. But it doesn’t end there. The earth orbits the sun. That is 29.85 m/s additional movement to the earth’s rotation. Our solar system rotates in in our galaxy the milky way. The milky way rotates, too. The galaxy is moving through the universe / space. Plus the universe is expanding. And it the expanding speed is increasing. Good luck with time traveling!. Do the math and meet me in my skyscraper, yesterday! I think this the point most science fiction authors didn’t tell you. So next time you travel through time and space and you are very good. Don’t forget your parachute. If you are not so good in math don’t forget your space suite, just in case…

Remember:

  1. The earth rotates
  2. The earth orbits around the sun
  3. The solar system orbits around the in a rotating galaxy
  4. The galaxy is moving in the universe
  5. The universe is ever expanding. Faster and faster.