Welcome to my world
This is more for me than others. Sometimes I forget things like this.
ssh -D 8888 [email protected] Browser: Socks Proxy localhost 888
ssh -L 9090:localhost:9090 user@proxyhost -i SSHKEY ssh -L 9090:localhost:9090 -N user@TARGETSYSTEM
adb devices adb Shell pm list package pm list package | grep "huawei"
pm uninstall -k --user 0 com.huawei.search pm uninstall -k --user 0 com.huawei.appmarket pm uninstall -k --user 0 com.huawei.himovie.overseas pm uninstall -k --user 0 com.huawei.android.mirrorshare pm uninstall -k --user 0 com.huawei.tips pm uninstall -k --user 0 com.huawei.wallet pm uninstall -k --user 0 com.facebook.services pm uninstall -k --user 0 com.facebook.appmanager pm uninstall -k --user 0 com.facebook.system pm uninstall -k --user 0 com.google.android.feedback pm uninstall -k --user 0 com.huawei.android.karaoke pm uninstall -k -–user 0 com.huawei.hifolder pm uninstall -k --user 0 com.huawei.hwdetectrepair pm uninstall -k --user 0 com.huawei.phoneservice pm uninstall -k --user 0 com.huawei.hwid
pm list package | grep -v "google" | grep -v "huawei" | grep -v "com\.android"
pm list package huawei pm list packages | grep "huawei" | sort
When ever I tried to insert text from the clipboard to vim it did either not work at all or the lines were inserted like a tree, each line more indented.
Since a few weeks the ssllabs server tests marks three more ciphers as CBC ciphers. Block ciphers are not secure. And flagged orange in the test results.
The candidates are
ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
Removing them form the configuration also means removing the support for several older browsers.
The new recommended cipher suite is:
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
Thanks to Gregg for showing the other POLY 1305 ciphers that I didn’t know of until today. I saw you post at AL.
Update: I had to remove ECDHE-RSA-CHACHA20-POLY1305 and DHE-RSA-CHACHA20-POLY1305 since they are not HIPAA nor NIST compatible.
The TLS_AES_128_GCM_SHA256 ciphers is mandatory for TLS 1.3, but I kindly ignore that since I want only 256 bit encryption. This is not madness, this is crypto wars.
The whole configuration
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
H2Direct On
I have an A record for *.local at my test domain to 127.0.0.1
For web development it is often required to have a domain name rather than a subfolder in localhost. A vhost for a (sub)domain is easy to set up on my local apache instllation. I can have even a free, valid SSL certificate for that vhost. Wait, what? How can I have a valid certificate for free for a local domain? I use Let’s encrypt with DNS chalange. Sure every time I have to update the certifacte I have to change a DNS txt record, but that is easy.
Another reason why I have a wild card record to 127.0.0.1 is that I can add as many vhosts for testing to apache and don’t have to add or change the DNS settings. Also I can use it on every computer as long as it can query the DNS server on the internet. I can even give my co worker my vhost config and it works without changes.
So *.local.apachehaus.de is free for development. But you can’t have a SSL certificate. If you want that, you can do the same trick with your domain. Happy development.
After a long while I had to something with frontend coding. I wanted to used composer like in my PHP projects. But how the heck to get the composer files to the public / frontend folder on each update? Luckily composer knows a post update command. So here we go
{
"require": {
"twbs/bootstrap": "4.3.1"
},
"scripts": {
"post-update-cmd": [
"rm -rf public/bootstrap",
"cp -R vendor/twbs/bootstrap/dist public/bootstrap"
]
}
}
with composer update the files will be copied to public/bootstrap. Easy!
It is often required to parse the apache log, but the normal log format requires special handling like: https://github.com/JBlond/apache_log_parser
It is easier to have a direct output like JSON format.
LogFormat "{ \"time\":\"%t\", \"remoteIP\":\"%a\", \"host\":\"%V\", \"request\":\"%U\", \"query\":\"%q\", \"method\":\"%m\", \"status\":\"%>s\", \"userAgent\":\"%{User-agent}i\", \"referer\":\"%{Referer}i\" }" json
Now we have an easy to read log file.
Finding a good cipher for your web server is not an easy task. openssl ciphers -v ALL:COMPLEMENTOFALL lists all the available ciphers on your system.
What we don’t want
That gives us:
openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "SSLv3" | grep -v "(128)" | grep -v "Enc=None" | \ grep -v "Au=DSS" | grep -v "DHE-RSA-AES256-SHA" | grep -v "TLSv1 " | grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | \ grep -v "CAMELLIA" | grep -v "CBC" | grep -v "Au=RSA" | grep -v "Au=None" | grep -v "Enc=AESCCM"
now choose your poison.
Installing or updating a global installed composer can be a PITA if you don’t want to rely on the Linux distro
An easy way is:
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/bin --filename=composer
Now with the release of Apache 2.4.37 it supports TLSv1.3 (with OpenSSL 1.1.1). Before is was possible to compile Apache against OpenSSL 1.1.1 but it had no effect compared to OpenSSL 1.1.0
There are some advantages using TLS 1.3. it comes with Zero Round Trip Time (0-RTT). Explained simply, with TLS 1.2, two round-trips had been needed to complete the TLS handshake. With TLSv1.3, it requires only one round-trip, which in turn cuts the encryption latency in half. It feels faster.
At the moment only Chrome and Firefox support TLS 1.3. But I think other browser will follow soon.
This requires Apache 2.4.37 or better and OpenSSL 1.1.1 or better. Note that there are now two different directives for SSLCipherSuite. Also new is that the names for the Ciphers for TLS 1.3 are directly taken from the OpenSSL internal naming. This is different compared to the old way in apache. Only two ciphers that are allowed for TLSv1.3 support 256 bit encryption that is why I chose those.
Listen 443
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
ProtocolsHonorOrder On
Protocols h2c h2 http/1.1
TraceEnable Off
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd DHParameters "/opt/apache2/conf/dh4096.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
H2Direct On
Sadly not OS Distributions support the last OpenSSL version or that TLv1.3 version has been backported or it has been patched, but apache shows still an older version number.