msgbartop
Blog di Bernardino (Dino) Ciuffetti
msgbarbottom

30 Ott 15 How to check SSL/TLS protocol for a given server

If you need to check which SSL/TLS protocol version is implemented by your webserver, you can issue the following command:

dino@dam2knb:~$ echo | openssl s_client -connect 10.38.46.137:8443 2>&1 | grep Protocol
Protocol : TLSv1.2

21 Ago 14 How to enable apache NameVirtualHost with SSL

If you want to create name based virtualhosts in apache with SSL Certificates, you need openssl with SNI and TLS support (0.9.8f or better) and good apache 2.2.X version.

It’s a simple task, after you’ve read this official article: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

21 Feb 14 HOWTO generate a SAN (Subject Alternative Names) SSL CSR with OpenSSL

There is a cool SSLv3 protocol extension that’s called SAN (Subject Alternative Names). With this extension you can create a single SSL X509 certificate that is valid for several domain names, instead of a classic certificate that’s valid for one domain name only.

You can ofcourse create this kind of certificate with OpenSSL. We are now going to see how to do that.
Fist you have to create a file called openssl.cnf and put it for example into a temporary dir. The file should begin with:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

This is to enable SSLv3 req extensions.
Now, you have to add your custom informations to the openssl.cnf file: those informations will be reflected on the next steps.
Add something like this to openssl.cnf:

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = IT
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Italy
localityName = Locality Name (eg, city)
localityName_default = Rome
organizationName = Organization name
organizationName_default = My company name Srl
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = System Techies
commonName = Common Name (eg, YOUR name)
commonName_max = 64
#commonName_default = www.myfirstdomain.it
emailAddress = Email Address
emailAddress_max = 40

The informations above are used by the “openssl req” command to ask you data to generate your certificate request.
Then, add this block of informations into the openssl.cnf file:

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

Those informations will enable some extra useful things on your certificate request that will hopefully became valid on your brand new SSLv3 certificate. For example you are requesting your Certification Authority to release a X509 SSLv3 certificate with server and client authentication purposes, plus other certificate goodies.

Now the cool part: this is where you are asking your CA to release a certificate with Alternative Names (certificate valid for several domains). Append this stuff in openssl.cnf:

[alt_names]
DNS.1   = www.myfirstdomain.it
DNS.2   = myfirstdomain.it
DNS.3   = www.myalternativedomain.it
# you could also specify IP addresses like this:
# IP.1 = 1.2.3.4

OK. You are almost ready to create your CSR, but first you have to generate your private key.
NOTE that many CA are now requesting a private key of 2048 bits or more. Warned: a key of 1024 bits is not recommended!
To generate a 2048 bits private key, as usual, execute this command:

openssl genrsa -out server.key 2048

Perfect. It’s time to create the Certificate Request (PKCS#10) with SSLv3 extensions:

openssl req -new -out server.csr -key server.key -config openssl.cnf

Now, send your new server.csr file to your Certification Authority that will hopefully accept the request and relase a valid X509 SSLv3 certificate with SAN.

Good luck and enjoy.

13 Nov 13 Apache HTTPD as 2WAY (mutual) authentication SSL reverse proxy balancer

In this small article I’ll instruct myself (and you too?) how to create a 2 way authentication (mutual authentication) SSL reverse proxy balancer gateway. This configuration is useful in any enterprise environment where it’s requested to separate clients, the frontend and the backend, and when the traffic between clients and the gateway, and between the gateway and the backends must be encrypted.
This also ensure the clients and the backends to be authentic, and avoids Man In The Middle attacks.

Since the reverse proxy is in the middle between the clients and the backends, it’s requested for the clients to send a known client certificate to the gateway (apache), so that the gateway can recognize them. This is done with X509 certificates.
For the same reason, each backend contacted by the gateway is requested to respond with a valid and known server certificate. This is also done with X509 certificates.
Generally, the clients and the backends will also check their peer’s (apache) certificate to be known and valid, so that if someone is going to impersonate the gateway, it will be found and will not be considered authentic.

To do so, we’ll use:

  • apache httpd
  • mod_ssl
  • mod_proxy_balancer + mod_proxy + mod_proxy_http

Everything is done with a simple and single virtualhost in apache to be included in httpd.conf.
A working example is given below (assumes apache to be installed in /opt/apache, working with IP 11.22.33.44 on port 443):

<VirtualHost 11.22.33.44:443>
# General setup for the virtual host
DocumentRoot “/opt/apache/htdocs”
ServerName 11.22.33.44:443
ServerAdmin hostmaster@yoursite.com
CustomLog “|/opt/apache/bin/rotatelogs /opt/apache/logs/ssl_request_%Y%m%d.log 43200” “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
ErrorLog “|/opt/apache/bin/rotatelogs /opt/apache/logs/error_%Y%m%d.log 43200”
CustomLog “|/opt/apache/bin/rotatelogs /opt/apache/logs/access_%Y%m%d.log 43200” combined

# SSL CONFIGURATION – SERVER SIDE
# Enable SSL Server on this virtualhost
SSLEngine on
# Disable SSLv2 in favor of the more robust and secure SSLv3
SSLProtocol all -SSLv2
# List of supported cryptografic server cipher suites
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

# Apache server certificate
SSLCertificateFile “/opt/apache/conf/ssl/server.pem”
# Apache server private key
SSLCertificateKeyFile “/opt/apache/conf/ssl/key.pem”
# Apache server CA certificate (certificate of who released your server certificate)
SSLCertificateChainFile “/opt/apache/conf/ssl/ca.pem”
# Client’s CA certificates (list of certificates of who released your client’s certificates)
SSLCACertificateFile “/opt/apache/conf/ssl/ca.pem”
# It’s mandatory for apache to authenticate the client’s certificate
SSLVerifyClient require
# END OF SSL CONFIGURATION – SERVER SIDE

# SSL CONFIGURATION – CLIENT SIDE
# Enable SSL Client on this virtualhost (the traffic to the backends can be encrypted)
SSLProxyEngine on
# Apache client CA certificate (certificate of who released your client certificate)
SSLProxyMachineCertificateChainFile “/opt/apache/conf/ssl/ca.pem”
# Apache client private key + client certificate (concatenated in a single file)
SSLProxyMachineCertificateFile “/opt/apache/conf/ssl/client.pem”
# Backends’ CA certificates (list of certificates of who released your backends’ certificates)
SSLProxyCACertificateFile “/opt/apache/conf/ssl/ca.pem”
# It’s mandatory for apache to authenticate the backends’ certificate
SSLProxyVerify require
# END OF SSL CONFIGURATION – CLIENT SIDE

<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory “/opt/apache/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch “MSIE [2-5]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Define a load balancer worker to be used to balance the HTTPS traffic to three backends.
# The traffic between apache and the backends is encrypted
<Proxy balancer://httpslb>
# Define the first backend (https) with 2 way auth
BalancerMember https://192.168.1.11:443/ route=worker1 retry=10
# Define the second backend (https) with 2 way auth
BalancerMember https://192.168.1.12:443/ route=worker2 retry=10
# Define the third backend (https) with 2 way auth
BalancerMember https://192.168.1.13:443/ route=worker3 retry=10
</Proxy>

# Don’t send the “/balancer-manager” uri to the backends
ProxyPass /balancer-manager !
# Distribute the traffic (any url, since it is “/”) to the backends with round robin + cookie based session persistence
ProxyPass / balancer://httpslb/ lbmethod=byrequests stickysession=JSESSIONID

</VirtualHost>

If the clients and the backends are configured to check the gateway (apache) certificates, this is considered to be a very secure configuration.

Enjoy!

10 Ott 13 How to fix svn error: OPTIONS ‘https://1.2.3.4/svn/prj’: SSL handshake failed: SSL error: Key usage violation in certificate has been detected

If you encounter an error like this one on your SVN client:

svn: OPTIONS di ‘https://192.168.1.36/svn/myprj‘: SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (https://192.168.1.36)

you can try to fix your problem linking your libneon-gnutls.so.27 library used by your svn client to /usr/lib/libneon.so.27.

Try with this one:

mv /usr/lib/libneon-gnutls.so.27 /usr/lib/libneon-gnutls.so.27.old
ln -s /usr/lib/libneon.so.27 /usr/lib/libneon-gnutls.so.27

Tested on Debian 6.0 and Ubuntu 11.10

15 Nov 11 How to compile apache httpd on HP-UX 11.11 PA-RISC

The first thing that I have to say, after more than 10 years working with different OSes, is that there is no better operative system than Linux. Any other OS that I’ve worked with is a pure shit, in my humble opinion off course. HP-UX is one of this. This is a closed box with custom patches here and there, not a true, modern os like linux or free bsd, and the like. The compiler is closed source and it’s not free.

The best way that I’ve found to compile apache with gcc on HP-UX 11.11 (pa-risc) using open source free software is:

  1. download the following software packages from HP-UX Porting Centre (http://hpux.connect.org.uk/) – your version may vary: zlib-1.2.5-hppa-11.11.depot.gz, make-3.82-hppa-11.11.depot.gz, libiconv-1.14-hppa-11.11.depot.gz, gettext-0.18.1.1-hppa-11.11.depot.gz, openssl-1.0.0e-hppa-11.11.depot.gz, libgcc-4.2.3-hppa-11.11.depot.gz, gcc-4.2.3-hppa-11.11.depot.gz
  2. gunzip each one of the downloaded depot, (eg: gunzip * from the directory where you downloaded)
  3. install each depot in the order given below (the first is zlib, the last is gcc) with the standard hpux command: swinstall -s [your_absolute_depot_path]
  4. once this boring operation mandatory only on non modern operative systems is terinated successfully, you can export the PATH variable setting /usr/local/bin in front of the PATH list: export PATH=”/usr/local/bin:$PATH”
  5. ok. We are now ready to compile apache. Download and uncompress the httpd tar.gz with “gunzip”, then “tar xf” (on a modern system you can do it in a single pass with tar xzvf …)
  6. the configure string to run is: ./configure –with-included-apr –with-expat=builtin –prefix=[YOUR_APACHE_INSTALLATION_PATH] –enable-mods-shared=most –enable-ssl –enable-proxy –enable-proxy-connect –enable-proxy-http –enable-proxy-balancer –enable-cache –enable-disk-cache –enable-mem-cache
  7. once finisced, run: “gmake“.

At this point, after some minute, you probably will end with a compiler error like this one:

/var/adm/crash/src/httpd-2.2.21/srclib/apr/libtool –silent –mode=link gcc -g -O2 -pthread     -L/usr/local/lib   -o htpasswd  htpasswd.lo   -lm /var/adm/crash/src/httpd-2.2.21/srclib/pcre/libpcre.la /var/adm/crash/src/httpd-2.2.21/srclib/apr-util/libaprutil-1.la /var/adm/crash/src/httpd-2.2.21/srclib/apr-util/xml/expat/libexpat.la -liconv /var/adm/crash/src/httpd-2.2.21/srclib/apr/libapr-1.la -lrt -lm -lpthread -ldld
libtool: link: warning: this platform does not like uninstalled shared libraries
libtool: link: `htpasswd’ will be relinked during installation
/usr/ccs/bin/ld: Unsatisfied symbols:
apr_generate_random_bytes (first referenced in .libs/htpasswd.o) (code)
collect2: ld returned 1 exit status
gmake[2]: *** [htpasswd] Error 1
gmake[2]: Leaving directory `/var/adm/crash/src/httpd-2.2.21/support’
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/var/adm/crash/src/httpd-2.2.21/support’
gmake: *** [all-recursive] Error 1

This means that the APR library cannot generate random numbers. I have to investigate why, probably the system is not capable/patched to generate PRN numbers at kernel level (/dev/random or /dev/urandom) and the APR library breaks. Not a problem. Simply skip the creation of the htpasswd executable. You will probably not need it.

  • cd support
  • touch htpasswd
  • cd ..

Now came back to compile:

  • gmake

when finished, simple “gmake install“, and you hopefully have done, thinking why you are still using a non modern os and becoming soon a happy new linux user..

😉 Hope this one will help some linux user fighting on HP as well like me!

Ciao, Dino.

15 Set 11 How to compile apache httpd 64 bits on Solaris 10 sparc

As usual we try to consider the “do it right (r)” way of doing configurations.
Today we will compile Apache HTTPD on Sun Solaris 10 OS (SPARC).

The first thing to do is to install the gcc c compiler if it is not already installed.
To do so, download and install the package from www.sunfreeware.com. Double read the package release notes.
You have to download the latest gcc package and its dependencies. You probably will need also libiconv and libintl.
Now download openssl-0-9.X package.

For each downloaded package install it with the command: dpkg -d <full_path>/your_package

When finished, go into your apache source directory and:

export LD_LIBRARY_PATH=/usr/sfw/lib/sparcv9:/usr/local/lib/sparcv9
export PATH=/usr/sfw/bin:/usr/ccs/bin:/usr/local/ccs/bin:/usr/local/bin:$PATH

# if you want it 64 bits:
export CFLAGS=”-m64″
# if you want it 32 bits:
# export CFLAGS=”-m32″
export LDFLAGS=”-L/usr/sfw/lib/sparcv9″

./configure –with-included-apr –with-expat=builtin –prefix=<your_installation_path> –enable-mods-shared=most –enable-ssl –with-ssl=/usr/sfw –enable-proxy –enable-proxy-connect –enable-proxy-http –enable-proxy-balancer

If the configure process terminated successfully, you can now call:

make

When finished, as usual, call:

make install

I recommend you to use gnu make. You can download it from sunfreeware.
Now, if everything gone ok, you can try to start your brand new 64 bits apache full of powerfull modules.
You may want to set your LD_LIBRARY_PATH variable into <apache>/bin/envvars file so that apachectl can find all the library it needs to start or stop the server.

Ciao, Dino.

12 Set 11 How to install the “Apache Tomcat Native” libtcnative module

The Apache Tomcat Native module, also called “TC-Native library” or “libtcnative”, is a library that implements HTTP, HTTPS and AJP connectors in tomcat using the Apache APR library. This ensure great scalability and performance because permits tomcat to access server native technologies like openssl, system calls like sendfile() or epoll(), advanced I/O, OS level functionality and native Inter Process Communication.

To install libtcnative you must first have a working C compiler environment, a valid “apr” and “openssl” installation with the development libraries, a working apache tomcat 6.0.X and a Java JDK.

On debian it’s as simple as to run:

apt-get install build-essential libapr1-dev libssl-dev

The libtcnative source software can be found in the Tomcat binary bundle, in the bin/tomcat-native.tar.gz archive, but if you want the latest version you can find it here: http://tomcat.apache.org/native-doc/

Untar the tomcat-native archive, then:

cd tomcat-native-1.*/jni/native
./configure –with-apr=`which apr-1-config` –with-java-home=$JAVA_HOME –with-ssl=yes –prefix=$CATALINA_HOME

If you want or need to, you can pass the correct path of APR and OpenSSL libraries to the –with-apr and –with-ssl parameters.
CATALINA_HOME and JAVA_HOME are the path of the Java JDK and Tomcat installations.

After the configure script succeeded, you have to:

make
make install

Now, the libtcnative library should be correctly installed into “$CATALINA_HOME/lib”.
If you want you can now configure tomcat with the new connectors parameters.

The official project page of libtcnative is here: http://tomcat.apache.org/native-doc/
The documentation page of the tomcat 6 APR native functionality is here: http://tomcat.apache.org/tomcat-6.0-doc/apr.html

Hope this help someone to speed installation.
Ciao a tutti, Dino Ciuffetti.

01 Giu 11 Openssl e ciphers… questi sconosciuti

La suite openssl supporta differenti meccanismi di crittografia asimmetrica.
Il client e il server negoziano in fase di handshake la modalita’ di cifratura che utilizzeranno per il trasferimento sicuro dei dati.

In openssl le ciphers implementano 4 algoritmi:
1) Key Exchange Algorithm (scambio delle chiavi)
Sono RSA o Diffie-Hellman

2) Authentication Algorithm (autenticazione dei sistemi)
RSA, Diffie-Hellman, DSS o nessuno

3) Cipher/Encryption Algorithm (cifratura dello stream di dati)
DES, Triple-DES, RC4, RC2, IDEA o nessuno

4) MAC Digest Algorithm (verifica della validita’ del pacchetto)
MD5, SHA o SHA1

Il comando “openssl s_client -ciphers <parametro cipher>” permette di forzare il client (in questo caso il comando openssl stesso) ad utilizzare i meccanismi di cifratura piu’ deboli (parametro LOW), medi (MEDIUM) o piu’ sicuri (HIGH). Tuttavia per poter colloquiare in modo corretto, anche il server SSL deve supportare tali modalita’.

La suite openssl presente al momento sul mio pc (0.9.8k) implementa le seguenti ciphers:

LOW (tutti hanno chiave di cifratura inferiore a 128 bit, e firma hash SHA1 o MD5):
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5

MEDIUM (tutti hanno chiave di cifratura uguale a 128 bit, e firma hash SHA1 o MD5):
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

HIGH (tutti hanno chiave di cifratura superiore o uguale a 128 bit, e firma hash SHA1 o MD5):
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5

e altre modalita’ che non fanno capo ai tre alias descritti (LOW, MEDIUM e HIGH).

Per quanto riguarda la parte SERVER (per i bravi che usano APACHE) e’ possibile impostare le ciphers supportate tramite l’utilizzo del parametro SSLCipherSuite, ad esempio mettendo qualcosa del genere:
SSLCipherSuite +HIGH:+MEDIUM:!LOW:+SSLv2

Sempre parlando di apache, se non specificato, il default e’: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
ovvero si cerca di mantenere la compatibilita’ con i client piu’ vecchi e che quindi supporano solo ciphers poco robuste.

Scusate la “lezione di crittografia” ma secondo me serve per fare un po’ di chiarezza generale sull’argomento, spesso un po’ oscuro a molti.

Ciao, Dino.

14 Mar 11 Utilizzare openssl come Certification Authority

Come utilizzare openssl per creare una CA (Certification Authority)

Ciao gente.
A volte capita la necessita’ di creare un ente certificatore con openssl, ad esempio per poter generare e firmare dei certificati x509 che possono essere utili ai fini di riconoscimento lato server/client, ad esempio con apache.

I passaggi che da seguire sono semplici:

# Generazione della chiave privata dell’ente certificatore
openssl genrsa -des3 -out ca.key 4096
# Generazione del certificato dell’ente certificatore
openssl req -new -x509 -days 9999 -key ca.key -out ca.crt

# Creazione della chiave privata del server
openssl genrsa -out server.key 2048
# Generazione del CSR del server
openssl req -new -key server.key -out server.csr
# Creazione del certificato server e firma con il certificato dell’ente certificatore
openssl x509 -req -in server.csr -out server.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 1365

# Creazione della chiave privata del client da autenticare
openssl genrsa -des3 -out user.key 1024
# Generazione del CSR del client
openssl req -new -key user.key -out user.csr
# Creazione del certificato client e firma con il certificato dell’ente certificatore
openssl x509 -req -in user.csr -out user.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 1365
# Conversione in formato PKCS#12
openssl pkcs12 -export -in user.crt -inkey user.key -name “Nome e cognome” -out user.p12

Se avete domande chiedete pure.
Ciao, Dino.