Categories
Windows

A self-sighed certificate with SANs and SHA256 by OpenSSL.

同一記事の日本語版
Update information      Edit(Oct.28)

   When I tested my SSL server by “Qualys SSL Labs – Projects / SSL Server Test” for this dust, the test gave me following Reds and Oranges (^_^;).
 
||Reds||

  1. Trusted : No NOT TRUSTED <<---- Because I use a self-sighed certificate that the Labs doesn't know. So I ignore the message with confidence ha-ha.
  2. IE 6 / XP No FS 1 No SNI 2 : Protocol or cipher suite mismatch : Fail3 <<---- My SSL server user is only me, and I don't use IE 6 / XP. So I ignore the message.
  3. Fail3 They say “Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.” My SSL server doesn’t accept lower protocols, but it’s no problem for me.
  4.    As above I have nothing to be done about Reds.

||Oranges||

  1. Prefix handling : Not valid for “www.o6asan.com” :CONFUSING
  2. Signature algorithm : SHA1withRSA : WEAK
  3. Chain issues : Contains anchor <<---- Ivan Ristić replied about “Chain issues Contains anchor”. So I ignore the message.
  4. Not in trust store <<---- Because I use a self-sighed certificate. So I ignore the message.
  5. Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported
  6. Forward Secrecy : With some browsers

   As above I have something to be done about 1, 2, 5 and 6. First I handle 5 and 6 because I need to re-create a new certificate for 1 and 2.

  1. I update Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) to October 20 version. Because it was built with openssl-1.0.1j which supported TLS_FALLBACK_SCSV.
  2. I uncommented SSLHonorCipherOrder on and changed SSLCipherSuite Directive value in the httpd-ssl.conf.
    HIGH:MEDIUM:!aNULL:!MD5

    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
    EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
    !PSK !SRP !DSS

       Ref : Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
    ↓ I changed on Dec. 23 because of RC4.
    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH
    EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

       Ref : RC4 in TLS is Broken: Now What?

    IF your server should support some mobile OS/browser or legacy ones, you need more additional configuration. But the above is enough to my server.
  3. After them the test gives me “Downgrade attack prevention : Yes, TLS_FALLBACK_SCSV supported” and “Forward Secrecy : Yes (with most browsers) ROBUST”.

   Second I handle 1 and 2.
   The 1 is caused by my self-sighed certificate only has o6asan.com as its Common Name. So I have to create a new certificate supporting both o6asan.com and www.o6asan.com. But there is a problem that I want to use only one IP address for my SSL server. Nowadays we have the solution for this issue that is called SNI(Server Name Indication) though all OS/browser haven’t supported it yet. I can use a wildcard certificate or SAN for SNI. I use SANs because I don’t want to allow my SSL server to accept all sub domains though I can restrict them by Apache configuration.
   The 2 is caused by my creation of the certificate by OpenSSL default, which is set to use SHA1. So I’ll use default_md = sha256 for the new certificate.
 On 28th, I re-read Server Name Indication. Is SNI a different story from wildcard certificate / SAN? I don’t understand them still now. Difficult.

   I copy the file openssl.cnf(← this is the default name) from Apche24conf folder to c:openssl-1.0.1x-winxxssl(← this is the default location) and customize like the followings.

    Change values and uncomment a line.

  1. dir = ./demoCA —->> dir = X:/demoCA <<----Need an exact path
  2. default_crl_days = 30 —->> default_crl_days = 365
  3. default_md = default —->> default_md = sha256
  4. default_bits = 1024 —->> default_bits = 2048
  5. # req_extensions = v3_req —->> req_extensions = v3_req
    Adding lines.

  1. subjectAltName = @alt_names to [ v3_req ] area.
  2. [ alt_names ]
    DNS.1 = example.com
    DNS.2 = www.example.com
    to just before [ v3_ca ] area.
     
    You can add your domains, like DNS.1, DNS.2, DNS.3, ….
  3. If you make a client certificate, add the followings to the end of the openssl.cnf.
    [ ssl_client ]
    basicConstraints = CA:FALSE
    nsCertType = client
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    nsComment = "OpenSSL Certificate for SSL Client"

   Now I’ll create new certificate. (Ref : WordPress: Administration Over SSL #1)

    ||Create myCA||

  1. Make myCA folder at X:/
  2. Make two folders and a file named private, newcerts and index.txt in the myCA.
  3. Run cmd.exe as Administrator
    pushd X:myCA
    echo 01 > serial
    openssl req -new -keyout privatecakey.pem -out careq.pem
    openssl ca -selfsign -in careq.pem -extensions v3_ca -out cacert.pem
    copy cacert.pem (Drive_SV):Apache24confssl.crt
    copy cacert.pem my_ca.crt

      Note) (Drive_SV) is a partition for server components on my home server PC.
    ||Create Server Cert||

  1. pushd X:myCA
    openssl genrsa -out server.key 2048
    openssl req -new -out server.csr -key server.key
  2. Check multiple SANs in the CSR (Can you see ‘Subject Alternative Name’ area in it?)
    openssl req -text -noout -in server.csr
  3. openssl ca -in server.csr -out server.crt -extensions v3_req
    copy server.key cp_server.key
    openssl rsa <cp_server.key> server.key
    copy server.key (Drive_SV):Apache24conf
    copy server.crt (Drive_SV):Apache24conf
    ||Create Client Cert||

  1. pushd X:myCA
    openssl req -new -keyout client.key -out client.csr
    openssl ca -policy policy_anything -extensions ssl_client -in client.csr -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12

References about SANs : FAQ/subjectAltName (SAN), Multiple Names on One Certificate.

   I have a self-sighed certificate with SANs and SHA256 now. Mission complete!!

Categories
Windows

Memorandum #7.

同一記事の日本語版
Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.

Categories
Windows

Memorandum #5.

同一記事の日本語版
Update information      Edit(Aug.28)
  1. I found their announcement of PHP 5.6.0 GA on the article about RC4, wow! I can’t wait.
  2. I updated Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) which was built with openssl-1.0.1i. The reason is this advisory, OpenSSL Security Advisory [6 Aug 2014]. I knew this news but Steffen replied “Coming days the builds here at Apache Lounge are going to be upgraded. It has not that priority and severity ~” to Jan-E. So I waited to be upgraded.
  3. I read a lot of articles about the troubles with Windows Update 2014 Aug. Though I had no trouble with my own PCs, I uninstalled the following updates that were installed on my PCs. Because I heard they suggested to uninstall KB2982791, KB2970228, KB2975719 and KB2975331 even if currently no trouble.
    • Windows8.1(x86) on NJ2100
      KB2982791
      KB2975719
    • Windows7 SP1(x64) on CF-J10
      KB2982791
      KB2970228
    • Windows7 SP1(x86) on xw4200
      KB2982791
      KB2970228
    • Windows Vista SP2(x86) on KeyPaso
      KB2982791

    In the past, Windows update gave us troubles almost every time, but I feel this was the first mess in quite a while. How about your feelings? (^_~)

Edit(Aug.28):
   Hey! We have new MS14-045 update KB2993651. See Microsoft Security Bulletin MS14-045 – Important.

Categories
Uncategorized

Updating to Apache 2.4.10.

同一記事の日本語版

   Apache HTTP Server 2.4.10 was released. It includes five security patches. It has a new module named mod_authnz_fcgi, so httpd.conf has a following added line.
    #LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
   On the Windows version it was upgraded pcre from 8.34 to 8.35 and APR from 1.5.0 to 1.5.1.

   I downloaded httpd-2.4.10-win32-VC11.zip (17 Jul) from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.‘.

Categories
Uncategorized

Updating Apache because of OpenSSL Security Advisory [05 Jun].

同一記事の日本語版
Update information      Edit(Jun.9)

   I updated my Apache 2.4.9 to 2014 5 Jun version because of OpenSSL Security Advisory [05 Jun]..

   It is built with ‘IPv6 Crypto apr-1.5.0 apr-util-1.5.3 apr-iconv-1.2.1 openssl-1.0.1h zlib-1.2.8 pcre-8.34 libxml2-2.9.1 lua-5.1.5 expat-2.1.0’. Its Changelog.

   I really appreciate Steffen’s hard and quick work. Thanks again, Steffen.

Edit(Jun.9):
   I found this on the Net, so linked to it as a reference.
OpenSSL Patches Critical Vulnerabilities Two Months After Heartbleed

Categories
Uncategorized

Updating Apache because of CVE-2014-0160.

同一記事の日本語版
Update information      Edit(May.13)

   I updated my Apache 2.4.9 to 2014 Apr 8 version because of CVE-2014-0160.

   It is built with ‘IPv6 Crypto apr-1.5.0 apr-util-1.5.3 apr-iconv-1.2.1 openssl-1.0.1g zlib-1.2.8 pcre-8.34 libxml2-2.9.1 lua-5.1.5 expat-2.1.0′. Its Changelog.

   I really appreciate Steffen’s hard and quick work. Thanks again, Steffen.

Edit(May.13):
   This vulnerability also has effects on everyday life as I’ve worried about. Some OS of smartphones might have the vulnerability. I’ve found the list out. ⇒ The list of Android phones vulnerable to Heartbleed bug

   And you can check your smartphone OS about the vulnerability by the Heartbleed Detector App.

   I add three sites about Heartbleed detector you can access by a PC.
     Heartbleed test
     heartbleed test
     Trend Micro Heartbleed Detector (does not exist anymore.)

Categories
Uncategorized

Updating to Apache 2.4.9.

同一記事の日本語版

   Apache HTTP Server 2.4.9 was released, and they did not release 2.4.8 because of an issue about OpenSSL area. So we’d better think 2.4.9 includes the changes with 2.4.8.

   I downloaded httpd-2.4.9-win32-VC11.zip (16 Mar) from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.‘.

Categories
Windows

Updating to AWStats7.3.

同一記事の日本語版

   I updated AWStats from 7.2 to 7.3. See ChangeLog and current features. Wow!

  1. Downloaded awstats-7.3.zip for my server (Windows7HP + SP1 (x86)).
  2. Extracted the Zip archive.
  3. Replaced the old folders below by new ones. (Location:Drive_DC:awstatswwwroot)
         classes
         css
         icon
         js
  4. Replaced the old folders below by new ones. (Location:Drive_DC:awstatswwwrootcgi-bin)
         lang
         lib
         plugins
  5. Customize new awdownloadcsv.pl, awredir.pl and awstats.pl. (Location:Drive_DC:awstatswwwrootcgi-bin).
         #!/usr/bin/perl  —>  #!Drive_SV:/perl/bin/perl
    Replaced the old files by new ones.
  6. Use old awstats.MyDomain.com.conf as the new conf.

   If you install AWStats at the first time, see AWStats Installation, Configuration and Reporting.

   I use this opportunity to do the software blow up-to-date. Actually, about PERL I did on Dec.26. I forgot to write it. Now, I updated AWStats, which is a PERL scripts package. So, the information about it needs the PERL version. Right? (^_^;)

  • ActivePerl-5.16.3.1603 —> ActivePerl-5.18.1.1800
  • phpMyAdmin-4.1.0 —> phpMyAdmin-4.1.6
  • mariadb-5.5.34 —> mariadb-5.5.35
Categories
Uncategorized

CVE-2012-1823

同一記事の日本語版

   I watched “さくらのVPSに来る悪い人を観察する その2” and “SSH ハニーポットでの悪い人の観察“, then rolled on the floor, laughing. I first found this on “徳丸浩の日記” which reads the slide show is very interesting and very popular lately, so I went to the slide show to be sure it and agreed with it.

   The slide show is related to CVE-2012-1823. Actually, the attacks the slide#36 shows come everywhere whether the vulnerability exists or not. My server is no exception. I don’t create SSH server, and my PHP doesn’t have the vulnerability nor isn’t CGI version, so all attacks failed though.

   Ozuma5119 is a genuine white hacker. If you’re up for this topic, visit the linked sites though they are only in Japanese. Please use some translation services m(_”_)m.

Categories
Uncategorized

Updating to Apache 2.4.7.

同一記事の日本語版

   Apache HTTP Server 2.4.7 was released, and I think I found something good on Steffen’s post Apache 2.4.7 available.

   I downloaded httpd-2.4.7-win32-VC11.zip (22 Nov) from the ApacheLounge for My Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.‘.