Categories
Windows

My Web server supports TLSv1.3 now.

TLSv1.3   Apache 2.4.37 from Apache Lounge supported TLSv1.3, so I enabled TLSv1.3 on my Web server which runs on Windows7 HP SP1 32-bit. I only changed from SSLProtocol -all +TLSv1.2 to SSLProtocol -all +TLSv1.2 +TLSv1.3. I did nothing about SSLCipherSuite Directive because the SSL_CTX_set_cipher_list page says ‘An empty list is permissible’.
The default value for the this setting is: “TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256”

   Here is the results before and after of SSL Labs Server Test.

同一記事の日本語版
Categories
Windows

From dehydrate to mod_md, Let’s Encrypt Tool.

同一記事の日本語版
Update information      Edit(Nov.16)  Edit2(Nov.30)

   Early this morning, I changed Let’s Encrypt Tool from dehydrated to mod_md. On August 17, Steffen announced “mod_md is available for 2.4.27 VC15”. I did nothing about it though I became curious, because I was busy and I already used ‘dehydrated’. But the day before yesterday, I found “ACME Support in Apache HTTP Server Project”. So I decided to use ‘mod_md’ yesterday.

Categories
Windows

Doing CHACHA and Brotli with Apache 2.4 on Windows.

同一記事の日本語版
Update information      Edit(May 2)

   Last October, I wrote “CHACHA20 Apache official version already supports but Apache Lounge version 2.4.23, which is my server current version, hasn’t yet“. On April 19, Steffen announced Apache 2.4.26-Dev available with Openssl 1.1.0e VC14. So, we can use CHACHA20_POLY1305 in the Windows version Apache now. For enabling the cipher you need to add CHACHA20-POLY1305 things to the SSLCipherSuite of the httpd-ssl.conf and reboot the Apache.

Categories
everyday life

I’ve updated to phpMyAdmin4.6.6.

同一記事の日本語版

   I’ve updated to phpMyAdmin4.6.6. After that, the new version gave me “OpenSSL error: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length” at HOME when I logged in.
   This is maybe because of this 👉 $cfg[‘Servers’][$i][‘ssl_verify’].

   The page says “Disabling the certificate verification defeats purpose of using SSL. This will make the connection vulnerable to man in the middle attacks.”, but my SQL server and phpMyAdmin don’t accept accesses from outside of NAT router and the user is only me. So, as my temporal workaround, I added the next line to my config.inc.php.

$cfg['Servers'][$i]['ssl_verify'] = false;
Categories
Windows

Letsencrypt.sh on Windows-#4.

同一記事の日本語版

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
   On October 7, when I tested my site by SSL Server Test, I found ‘OCSP Must Staple Not Supported’ on it. So, I re-checked the old test report and also saw ‘OCSP Must Staple Not Supported’ there. I talked about this with くりくりさん at my Japanese blog comments. We also talked about Extended Validation(EV), CHACHA20, and Certificate Transparency(CT). But, these three are not available for my server now. EV is expensive. CHACHA20 Apache official version already supports but Apache Lounge version 2.4.23, which is my server current version, hasn’t yet. If I want to use, I need to build the supported version by myself. This is difficult for me. CT Apache hasn’t supported yet.
   However, I changed several things about my server TLS environment.

Categories
Windows

Letsencrypt.sh on Windows-#3.

同一記事の日本語版
Update information      Edit(Oct.26)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
   On September 17, I got the first success of the renewal of Let’s Encrypt Certificates. The script and my batch made it at the daily task. I found the file differences in my Certs folder on the server like this ☟.

Categories
Windows

Letsencrypt.sh on Windows-#2.

同一記事の日本語版
Update information      Edit(Sep.19)  Edit2(Oct.26)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
[Sep.19]    As I had a success about the first renewal of the Let’s Encrypt Certs automatically, I posted a new article. ☞“Letsencrypt.sh on Windows-#3”
   By the way, they renamed project from letsencrypt.sh to dehydrated. So you can find the project at https://github.com/lukas2511/dehydrated/releases. Therefore, read letsencrypt.sh as dehydrated in my article.
========================================================
   Continued from my last post.
   Now, I’ll write HowTO renew certs automatically by Letsencrypt.sh. Once I made the batch file which didn’t work well because of letsencrypt-win-simple limitation. But the part which was not related to letsencrypt-win-simple worked well.

Categories
Windows

Letsencrypt.sh on Windows-#1.

Update information      Edit(Sep.19)  Edit2(Oct.26)  Edit3(2017.Jul.9)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
[Sep.19]    As I had a success about the first renewal of the Let’s Encrypt Certs automatically, I posted a new article. ☞“Letsencrypt.sh on Windows-#3”
   By the way, they renamed project from letsencrypt.sh to dehydrated. So you can find the project at https://github.com/lukas2511/dehydrated/releases. Therefore, read letsencrypt.sh as dehydrated in my article.
========================================================
   As I wrote, the script letsencrypt-win-simple doesn’t support the renewal of certificates on Apache Windows version still now, and the official client, that’s certbot, also doesn’t support Apache on Windows OS. So, I think I use the other script named letsencrypt.sh.

Categories
Vulnerability

Memorandum #17.

同一記事の日本語版

   Steffen released a new version of Apache 2.4.20 which was built with OpenSSL 1.0.2h on May 4, so I updated my web server Apache to it. ChangeLog. If you install Apache2.4.x at the first time, see “To create a Wamp-like Web Server in Windows7-#1”. Now I use a VC14 version of Apache which requires VC14.

Categories
everyday life

Let’s Encrypt new certs compatible with Windows XP.

同一記事の日本語版

   They announced Let’s Encrypt certs issued after 1pm Pacific today are compatible with Windows XP. The longer explanation is here. But even after reading it, I have why. On its replies, there are a lot of pros and cons.