SSL and TLS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
(Die Seite wurde neu angelegt: „Kategorie: Security ==HPKP - HTTP Public Key Pinning== A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github…“)
 
m (Text replacement - "</source" to "</syntaxhighlight")
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie: Security]]
[[Category: Security]]
=Web=
==HTTPS==
===TLSA - Record ===
<syntaxhighlight lang=bash>
$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
</syntaxhighlight>


==HPKP - HTTP Public Key Pinning==
This could be used for a tlsa record like this:
_443._tcp.lars.timmann.de. 60 IN TLSA 3 0 1 e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
 
 
===HSTS - HTTP Strict Transport Security===
<syntaxhighlight lang=apache>
<VirtualHost <host>:443>
    ...
    Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;"
    ...
</VirtualHost>
</syntaxhighlight>
You need to enable the headers module in Apache.
On Ubuntu just do:
<syntaxhighlight lang=bash>
# sudo a2enmod headers
</syntaxhighlight>
 
The max-age is entered in seconds:
<syntaxhighlight lang=bash>
$ bc -l
31556926/(60*60*24)
365.24219907407407407407
</souce>
 
So this value is a year as seconds.
 
What changes when we set this header and the browser understands it?
The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains ''includeSubDomains;'' subdomains are treated like this as well.
 
Links:
* [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS at Wikipedia (English)]
* [https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (German)]
 
===HPKP - HTTP Public Key Pinning===


A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github.com/hannob/hpkp Github].
A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github.com/hannob/hpkp Github].
Line 8: Line 49:


The public key pins for this site are created like this:
The public key pins for this site are created like this:
<source lang=bash>
<syntaxhighlight lang=bash>
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
Generating RSA private key, 4096 bit long modulus
Generating RSA private key, 4096 bit long modulus
..............................++
..................................................................................................................................................................................................................++
..........................................++
..........................................................................................................................................................................................++
e is 65537 (0x10001)
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
Generating RSA private key, 4096 bit long modulus
...................................................................................................................++
..................................................++
.......................................................++
..........................................++
e is 65537 (0x10001)
e is 65537 (0x10001)
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"i38qmLX9VLKCmH4XNvctxbv+ogiJXHtdPA/6RvvuJHE=\";pin-sha256=\"Oh+mTGIdu9+uughG5M1W6pCBRO5Ukja5MOzcl4qxKKw=\";pin-sha256=\"i38qmLX9VLKCmH4XNvctxbv+ogiJXHtdPA/6RvvuJHE=\";"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";"
</source>
</syntaxhighlight>
At the end you get on line for optional adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.
 
<source lang=apache>
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.
<syntaxhighlight lang=apache>
<VirtualHost lars.timmann.de:443>
<VirtualHost lars.timmann.de:443>
     ...
     ...
     SSLEngine On
     SSLEngine On
     SSLProtocol all -SSLv2 -SSLv3
     SSLProtocol all -SSLv2 -SSLv3 -TLSv1
     SSLCompression off
     SSLCompression off
     SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
     SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
Line 35: Line 77:
     ...
     ...
</VirtualHost>
</VirtualHost>
</source>
</syntaxhighlight>
You need to enable the headers module in Apache.
You need to enable the headers module in Apache.
On Ubuntu just do:
On Ubuntu just do:
<source lang=bash>
<syntaxhighlight lang=bash>
# sudo a2enmod headers
# sudo a2enmod headers
</source>
</syntaxhighlight>
 
=Mail=
==STARTTLS==
with OpenSSL:
<syntaxhighlight lang=bash>
$ openssl s_client -starttls smtp -connect <mailserver>:<port>
</syntaxhighlight>
 
with GNUTLS:
<syntaxhighlight lang=bash>
$ gnutls-cli --crlf --starttls --port <port> <mailserver>
EHLO hey    <-- Send EHLO
250-<mailserver> Hello <yourhost> [<yourip>]
250-SIZE 52428800
250-8BITMIME
250-ETRN
250-PIPELINING
250-AUTH PLAIN
250-STARTTLS
250 HELP
 
STARTTLS    <-- Send STARTTLS
220 TLS go ahead
 
^D          <-- Send CTRL-D to begin STARTTLS handshake
...
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA256
- Compression: NULL
</syntaxhighlight>
 
You can specify the security priority for the handshake like this:
<syntaxhighlight lang=bash>
$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver>
</syntaxhighlight>
 
Or us sslscan to check the available ciphers:
<syntaxhighlight lang=bash>
$ sudo apt-get install sslscan
$ sslscan --no-failed --starttls <mailserver>:<port>
</syntaxhighlight>
 
==SMTPS==
with OpenSSL:
<syntaxhighlight lang=bash>
$ openssl s_client -connect <mailserver>:465
</syntaxhighlight>
 
with GNUTLS:
<syntaxhighlight lang=bash>
$ gnutls-cli --port 465 <mailserver>
</syntaxhighlight>

Latest revision as of 17:51, 25 November 2021

Web

HTTPS

TLSA - Record

$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac

This could be used for a tlsa record like this: 

_443._tcp.lars.timmann.de.	60	IN	TLSA	3 0 1 e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac


HSTS - HTTP Strict Transport Security

<VirtualHost <host>:443>
    ...
    Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;"
    ...
</VirtualHost>

You need to enable the headers module in Apache. On Ubuntu just do: 

# sudo a2enmod headers

The max-age is entered in seconds: 

$ bc -l
31556926/(60*60*24)
365.24219907407407407407
</souce>

So this value is a year as seconds.

What changes when we set this header and the browser understands it?
The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains ''includeSubDomains;'' subdomains are treated like this as well.

Links:
* [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS at Wikipedia (English)]
* [https://de.wikipedia.org/wiki/Hypertext_Transfer_Protocol_Secure#HSTS HSTS at Wikipedia (German)]

===HPKP - HTTP Public Key Pinning===

A helpful script to create the hashes was made by Hanno Böck and is accessible at [https://github.com/hannob/hpkp Github].

I added a create option which makes the script more comfortable for me at [https://github.com/Popyllol/hpkp Github], too.

The public key pins for this site are created like this:
<syntaxhighlight lang=bash>
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
Generating RSA private key, 4096 bit long modulus
..................................................................................................................................................................................................................++
..........................................................................................................................................................................................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
..................................................++
..........................................++
e is 65537 (0x10001)
Header always set Strict-Transport-Security "max-age=31556926;"
Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";"

At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. 

<VirtualHost lars.timmann.de:443>
    ...
    SSLEngine On
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 
    SSLCompression off
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCertificateFile    /etc/apache2/ssl/timmann.de-wildcard.pem
    SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key
    Header always set Strict-Transport-Security "max-age=31556926;"
    Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";"
    ...
</VirtualHost>

You need to enable the headers module in Apache. On Ubuntu just do: 

# sudo a2enmod headers

Mail

STARTTLS

with OpenSSL: 

$ openssl s_client -starttls smtp -connect <mailserver>:<port>

with GNUTLS: 

$ gnutls-cli --crlf --starttls --port <port> <mailserver>
EHLO hey     <-- Send EHLO
250-<mailserver> Hello <yourhost> [<yourip>]
250-SIZE 52428800
250-8BITMIME
250-ETRN
250-PIPELINING
250-AUTH PLAIN
250-STARTTLS
250 HELP

STARTTLS    <-- Send STARTTLS
220 TLS go ahead

^D          <-- Send CTRL-D to begin STARTTLS handshake
...
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA256
- Compression: NULL

You can specify the security priority for the handshake like this: 

$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver>

Or us sslscan to check the available ciphers: 

$ sudo apt-get install sslscan
$ sslscan --no-failed --starttls <mailserver>:<port>

SMTPS

with OpenSSL: 

$ openssl s_client -connect <mailserver>:465

with GNUTLS: 

$ gnutls-cli --port 465 <mailserver>
Retrieved from "https://lars.timmann.de/wiki/index.php?title=SSL_and_TLS&oldid=2348"