SSL and TLS: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "<source" to "<syntaxhighlight") |
m (Text replacement - "</source" to "</syntaxhighlight") |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[ | [[Category: Security]] | ||
=Web= | =Web= | ||
==HTTPS== | ==HTTPS== | ||
| Line 6: | Line 6: | ||
$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | $ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | ||
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac | (stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac | ||
</ | </syntaxhighlight> | ||
This could be used for a tlsa record like this: | This could be used for a tlsa record like this: | ||
| Line 19: | Line 19: | ||
... | ... | ||
</VirtualHost> | </VirtualHost> | ||
</ | </syntaxhighlight> | ||
You need to enable the headers module in Apache. | You need to enable the headers module in Apache. | ||
On Ubuntu just do: | On Ubuntu just do: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# sudo a2enmod headers | # sudo a2enmod headers | ||
</ | </syntaxhighlight> | ||
The max-age is entered in seconds: | The max-age is entered in seconds: | ||
| Line 61: | Line 61: | ||
Header always set Strict-Transport-Security "max-age=31556926;" | Header always set Strict-Transport-Security "max-age=31556926;" | ||
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";" | Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";" | ||
</ | </syntaxhighlight> | ||
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. | At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. | ||
| Line 77: | Line 77: | ||
... | ... | ||
</VirtualHost> | </VirtualHost> | ||
</ | </syntaxhighlight> | ||
You need to enable the headers module in Apache. | You need to enable the headers module in Apache. | ||
On Ubuntu just do: | On Ubuntu just do: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
# sudo a2enmod headers | # sudo a2enmod headers | ||
</ | </syntaxhighlight> | ||
=Mail= | =Mail= | ||
| Line 89: | Line 89: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
$ openssl s_client -starttls smtp -connect <mailserver>:<port> | $ openssl s_client -starttls smtp -connect <mailserver>:<port> | ||
</ | </syntaxhighlight> | ||
with GNUTLS: | with GNUTLS: | ||
| Line 114: | Line 114: | ||
- MAC: SHA256 | - MAC: SHA256 | ||
- Compression: NULL | - Compression: NULL | ||
</ | </syntaxhighlight> | ||
You can specify the security priority for the handshake like this: | You can specify the security priority for the handshake like this: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver> | $ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver> | ||
</ | </syntaxhighlight> | ||
Or us sslscan to check the available ciphers: | Or us sslscan to check the available ciphers: | ||
| Line 125: | Line 125: | ||
$ sudo apt-get install sslscan | $ sudo apt-get install sslscan | ||
$ sslscan --no-failed --starttls <mailserver>:<port> | $ sslscan --no-failed --starttls <mailserver>:<port> | ||
</ | </syntaxhighlight> | ||
==SMTPS== | ==SMTPS== | ||
| Line 131: | Line 131: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
$ openssl s_client -connect <mailserver>:465 | $ openssl s_client -connect <mailserver>:465 | ||
</ | </syntaxhighlight> | ||
with GNUTLS: | with GNUTLS: | ||
<syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
$ gnutls-cli --port 465 <mailserver> | $ gnutls-cli --port 465 <mailserver> | ||
</ | </syntaxhighlight> | ||
Latest revision as of 17:51, 25 November 2021
Web
HTTPS
TLSA - Record
$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
This could be used for a tlsa record like this:
_443._tcp.lars.timmann.de. 60 IN TLSA 3 0 1 e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
HSTS - HTTP Strict Transport Security
<VirtualHost <host>:443>
...
Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;"
...
</VirtualHost>
You need to enable the headers module in Apache. On Ubuntu just do:
# sudo a2enmod headers
The max-age is entered in seconds:
$ bc -l
31556926/(60*60*24)
365.24219907407407407407
</souce>
So this value is a year as seconds.
What changes when we set this header and the browser understands it?
The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains ''includeSubDomains;'' subdomains are treated like this as well.
Links:
* [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS at Wikipedia (English)]
* [https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (German)]
===HPKP - HTTP Public Key Pinning===
A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github.com/hannob/hpkp Github].
I added a create option which makes the script more comfortable for me at [https://github.com/Popyllol/hpkp Github], too.
The public key pins for this site are created like this:
<syntaxhighlight lang=bash>
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................................................................................++
..........................................................................................................................................................................................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
..................................................++
..........................................++
e is 65537 (0x10001)
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";"
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.
<VirtualHost lars.timmann.de:443>
...
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCompression off
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/timmann.de-wildcard.pem
SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";"
...
</VirtualHost>
You need to enable the headers module in Apache. On Ubuntu just do:
# sudo a2enmod headers
STARTTLS
with OpenSSL:
$ openssl s_client -starttls smtp -connect <mailserver>:<port>
with GNUTLS:
$ gnutls-cli --crlf --starttls --port <port> <mailserver>
EHLO hey <-- Send EHLO
250-<mailserver> Hello <yourhost> [<yourip>]
250-SIZE 52428800
250-8BITMIME
250-ETRN
250-PIPELINING
250-AUTH PLAIN
250-STARTTLS
250 HELP
STARTTLS <-- Send STARTTLS
220 TLS go ahead
^D <-- Send CTRL-D to begin STARTTLS handshake
...
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA256
- Compression: NULL
You can specify the security priority for the handshake like this:
$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver>
Or us sslscan to check the available ciphers:
$ sudo apt-get install sslscan
$ sslscan --no-failed --starttls <mailserver>:<port>
SMTPS
with OpenSSL:
$ openssl s_client -connect <mailserver>:465
with GNUTLS:
$ gnutls-cli --port 465 <mailserver>
