Being too busy with writing HTTP/2, I’ll also write about it, which is I moved to MariaDB 10.1.8. Not to update it. Besides, I found PHP5.6.15, phpMyAdmin4.5.1 and ActivePerl-5.20.2.2002 yesterday, so I took care of them all.
Category: Windows
They released Apache 2.4.17 on Oct 13 and Steffen released the same version at ApacheLounge on Oct 12. The version has mod_http2 for its core module and Steffen’s version was built with nghttp2 v1.3.4. See ChangeLog. So, I can test HTTP/2 on my server now. Yes! Just test. Because they say “This module is experimental.”
Some customization about Windows10.
After installing Windows10, SearchUI.exe accesses the Internet frequently. I find it annoying and don’t need it. I found SearchUI.exe in the folder %windir%SystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewy. For killing SearchUI.exe, I wanted to change the folder name. So I did the following steps.
Memorandum #12.
Upgrading from Win8.1 Pro to Win10 Pro.
Today, I upgraded my NJ2100 OS from Windows8.1 Pro(x86) to Windows10 Pro(x86).
I used the media creation tool. This time, I selected the option ‘Upgrade this PC now’ and ‘Keep Windows settings, personal files, and apps’. The PC had just 13.2 GB as free spaces on its C drive. But it brought no problems at the upgrade.
Have GWX showed up on your PCs yet?
Hey guys! Have GWX (Get Windows 10) showed up on your PCs yet? I have a Windows 8.1 Pro PC and two Windows 7 HP PCs. On Win8 I already had GWX. But I have nothing on Win7 PCs.
Anyway, all I need is to wait July 29. And of course, “To upgrade or not to upgrade, that is the question.” (^_^;)
Edit(Jun.11):
Yesterday, GWX showed up one of the Win7 PCs after Windows Update, that is a Let’snote ― a Panasonic product and a kind of Toughbook ― as my mobile PC. CF-J10TYAHR.
Updating to PHP5.6.7.
They released PHP5.6.7 Windows version on Mar-19 23:50:34UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68976), CVE-2015-2305 (bug #69248) and CVE-2015-2331 (bug #69253). The previous version (PHP5.6.5) has a bug fix for CVE-2015-0231, so this bug fix is second time. I wonder if some unfixed issues still remain for this vulnerability. Anyway I updated my PHP from 5.6.6 to 5.6.7 on my Web server (Windows7HP+SP1(x86)).
By the way, the new version includes some fixes for OPcache. But I have no new report on the page Bug #67937. So, nothing might change about it, but I enabled OPcache on my server again (Mar-29@6:55JST). What results will I have? I feel nervous about it.
If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.
Edit(Apr.14):
The OPcache on my Windows server has worked well for more than two weeks. I don’t know why. But I am happy!!
Updating to PHP5.6.5.
They released PHP5.6.5 Windows version on Jan-22 03:24:41UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68710), CVE-2014-9427 (bug #68618) and CVE-2015-0232 (bug #68799).
I couldn’t find “Fixed bug #68799” on the PHP5.6.5 ChangeLog though it’s on 5.5.21’s. Did they forget to write it? Anyway, I updated my PHP from 5.6.4 to 5.6.5 on my Web server (Windows7HP+SP1(x86)).
If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.
When I tested my SSL server by “Qualys SSL Labs – Projects / SSL Server Test” for this dust, the test gave me following Reds and Oranges (^_^;).
||Reds||
- Trusted : No NOT TRUSTED <<---- Because I use a self-sighed certificate that the Labs doesn't know. So I ignore the message with confidence ha-ha.
- IE 6 / XP No FS 1 No SNI 2 : Protocol or cipher suite mismatch : Fail3 <<---- My SSL server user is only me, and I don't use IE 6 / XP. So I ignore the message.
- Fail3 They say “Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.” My SSL server doesn’t accept lower protocols, but it’s no problem for me.
As above I have nothing to be done about Reds.
||Oranges||
- Prefix handling : Not valid for “www.o6asan.com” :CONFUSING
- Signature algorithm : SHA1withRSA : WEAK
- Chain issues : Contains anchor <<---- Ivan Ristić replied about “Chain issues Contains anchor”. So I ignore the message.
- Not in trust store <<---- Because I use a self-sighed certificate. So I ignore the message.
- Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported
- Forward Secrecy : With some browsers
As above I have something to be done about 1, 2, 5 and 6. First I handle 5 and 6 because I need to re-create a new certificate for 1 and 2.
- I update Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) to October 20 version. Because it was built with openssl-1.0.1j which supported TLS_FALLBACK_SCSV.
- I uncommented SSLHonorCipherOrder on and changed SSLCipherSuite Directive value in the httpd-ssl.conf.
HIGH:MEDIUM:!aNULL:!MD5
↓
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
!PSK !SRP !DSS
Ref : Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
↓ I changed on Dec. 23 because of RC4.
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH
EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Ref : RC4 in TLS is Broken: Now What?
IF your server should support some mobile OS/browser or legacy ones, you need more additional configuration. But the above is enough to my server.
After them the test gives me “Downgrade attack prevention : Yes, TLS_FALLBACK_SCSV supported” and “Forward Secrecy : Yes (with most browsers) ROBUST”.
Second I handle 1 and 2.
The 1 is caused by my self-sighed certificate only has o6asan.com as its Common Name. So I have to create a new certificate supporting both o6asan.com and www.o6asan.com. But there is a problem that I want to use only one IP address for my SSL server. Nowadays we have the solution for this issue that is called SNI(Server Name Indication) though all OS/browser haven’t supported it yet. I can use a wildcard certificate or SAN for SNI. I use SANs because I don’t want to allow my SSL server to accept all sub domains though I can restrict them by Apache configuration.
The 2 is caused by my creation of the certificate by OpenSSL default, which is set to use SHA1. So I’ll use default_md = sha256
for the new certificate.
On 28th, I re-read Server Name Indication. Is SNI a different story from wildcard certificate / SAN? I don’t understand them still now. Difficult.
I copy the file openssl.cnf(← this is the default name) from Apche24conf folder to c:openssl-1.0.1x-winxxssl(← this is the default location) and customize like the followings.
- Change values and uncomment a line.
dir = ./demoCA
—->>dir = X:/demoCA
<<----Need an exact pathdefault_crl_days = 30
—->>default_crl_days = 365
default_md = default
—->>default_md = sha256
default_bits = 1024
—->>default_bits = 2048
# req_extensions = v3_req
—->>req_extensions = v3_req
- Adding lines.
subjectAltName = @alt_names
to [ v3_req ] area.[ alt_names ]
to just before [ v3_ca ] area.
DNS.1 = example.com
DNS.2 = www.example.com
You can add your domains, like DNS.1, DNS.2, DNS.3, ….- If you make a client certificate, add the followings to the end of the openssl.cnf.
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
nsComment = "OpenSSL Certificate for SSL Client"
Now I’ll create new certificate. (Ref : WordPress: Administration Over SSL #1)
- ||Create myCA||
- Make myCA folder at X:/
- Make two folders and a file named private, newcerts and index.txt in the myCA.
- Run cmd.exe as Administrator
pushd X:myCA
echo 01 > serial
openssl req -new -keyout privatecakey.pem -out careq.pem
openssl ca -selfsign -in careq.pem -extensions v3_ca -out cacert.pem
copy cacert.pem (Drive_SV):Apache24confssl.crt
copy cacert.pem my_ca.crt
Note) (Drive_SV) is a partition for server components on my home server PC.
- ||Create Server Cert||
pushd X:myCA
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key- Check multiple SANs in the CSR (Can you see ‘Subject Alternative Name’ area in it?)
openssl req -text -noout -in server.csr
openssl ca -in server.csr -out server.crt -extensions v3_req
copy server.key cp_server.key
openssl rsa <cp_server.key> server.key
copy server.key (Drive_SV):Apache24conf
copy server.crt (Drive_SV):Apache24conf
- ||Create Client Cert||
pushd X:myCA
openssl req -new -keyout client.key -out client.csr
openssl ca -policy policy_anything -extensions ssl_client -in client.csr -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12
References about SANs : FAQ/subjectAltName (SAN), Multiple Names on One Certificate.
I have a self-sighed certificate with SANs and SHA256 now. Mission complete!!
Memorandum #7.
Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.
First, as a web site operator:
I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.
I added the SSLProtocol All -SSLv3
to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.
Second, as a user:
I did the following workaround. See “How to protect your browser”.
Edit(Oct.18):
PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.