SSL and TLS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "<source" to "<syntaxhighlight")
Line 3: Line 3:
==HTTPS==
==HTTPS==
===TLSA - Record ===
===TLSA - Record ===
<source lang=bash>
<syntaxhighlight lang=bash>
$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256  
$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256  
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
Line 13: Line 13:


===HSTS - HTTP Strict Transport Security===
===HSTS - HTTP Strict Transport Security===
<source lang=apache>
<syntaxhighlight lang=apache>
<VirtualHost <host>:443>
<VirtualHost <host>:443>
     ...
     ...
Line 22: Line 22:
You need to enable the headers module in Apache.
You need to enable the headers module in Apache.
On Ubuntu just do:
On Ubuntu just do:
<source lang=bash>
<syntaxhighlight lang=bash>
# sudo a2enmod headers
# sudo a2enmod headers
</source>
</source>


The max-age is entered in seconds:
The max-age is entered in seconds:
<source lang=bash>
<syntaxhighlight lang=bash>
$ bc -l
$ bc -l
31556926/(60*60*24)
31556926/(60*60*24)
Line 49: Line 49:


The public key pins for this site are created like this:
The public key pins for this site are created like this:
<source lang=bash>
<syntaxhighlight lang=bash>
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de   
Generating RSA private key, 4096 bit long modulus
Generating RSA private key, 4096 bit long modulus
Line 64: Line 64:


At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format.
<source lang=apache>
<syntaxhighlight lang=apache>
<VirtualHost lars.timmann.de:443>
<VirtualHost lars.timmann.de:443>
     ...
     ...
Line 80: Line 80:
You need to enable the headers module in Apache.
You need to enable the headers module in Apache.
On Ubuntu just do:
On Ubuntu just do:
<source lang=bash>
<syntaxhighlight lang=bash>
# sudo a2enmod headers
# sudo a2enmod headers
</source>
</source>
Line 87: Line 87:
==STARTTLS==
==STARTTLS==
with OpenSSL:
with OpenSSL:
<source lang=bash>
<syntaxhighlight lang=bash>
$ openssl s_client -starttls smtp -connect <mailserver>:<port>
$ openssl s_client -starttls smtp -connect <mailserver>:<port>
</source>
</source>


with GNUTLS:
with GNUTLS:
<source lang=bash>
<syntaxhighlight lang=bash>
$ gnutls-cli --crlf --starttls --port <port> <mailserver>
$ gnutls-cli --crlf --starttls --port <port> <mailserver>
EHLO hey    <-- Send EHLO
EHLO hey    <-- Send EHLO
Line 117: Line 117:


You can specify the security priority for the handshake like this:
You can specify the security priority for the handshake like this:
<source lang=bash>
<syntaxhighlight lang=bash>
$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver>
$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver>
</source>
</source>


Or us sslscan to check the available ciphers:
Or us sslscan to check the available ciphers:
<source lang=bash>
<syntaxhighlight lang=bash>
$ sudo apt-get install sslscan
$ sudo apt-get install sslscan
$ sslscan --no-failed --starttls <mailserver>:<port>
$ sslscan --no-failed --starttls <mailserver>:<port>
Line 129: Line 129:
==SMTPS==
==SMTPS==
with OpenSSL:
with OpenSSL:
<source lang=bash>
<syntaxhighlight lang=bash>
$ openssl s_client -connect <mailserver>:465
$ openssl s_client -connect <mailserver>:465
</source>
</source>


with GNUTLS:
with GNUTLS:
<source lang=bash>
<syntaxhighlight lang=bash>
$ gnutls-cli --port 465 <mailserver>
$ gnutls-cli --port 465 <mailserver>
</source>
</source>

Revision as of 15:28, 25 November 2021

Kategorie: Security

Web

HTTPS

TLSA - Record

<syntaxhighlight lang=bash> $ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 (stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac </source>

This could be used for a tlsa record like this:

_443._tcp.lars.timmann.de.	60	IN	TLSA	3 0 1 e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac


HSTS - HTTP Strict Transport Security

<syntaxhighlight lang=apache> <VirtualHost <host>:443>

   ...
   Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;"
   ...

</VirtualHost> </source> You need to enable the headers module in Apache. On Ubuntu just do: <syntaxhighlight lang=bash>

  1. sudo a2enmod headers

</source>

The max-age is entered in seconds: <syntaxhighlight lang=bash> $ bc -l 31556926/(60*60*24) 365.24219907407407407407 </souce>

So this value is a year as seconds.

What changes when we set this header and the browser understands it? The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains includeSubDomains; subdomains are treated like this as well.

Links:

HPKP - HTTP Public Key Pinning

A helpful script to create the hashes was made by Hanno Böck and is accessible at Github.

I added a create option which makes the script more comfortable for me at Github, too.

The public key pins for this site are created like this: <syntaxhighlight lang=bash>

  1. /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de

Generating RSA private key, 4096 bit long modulus ..................................................................................................................................................................................................................++ ..........................................................................................................................................................................................++ e is 65537 (0x10001) Generating RSA private key, 4096 bit long modulus ..................................................++ ..........................................++ e is 65537 (0x10001) Header always set Strict-Transport-Security "max-age=31556926;" Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";" </source>

At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. <syntaxhighlight lang=apache> <VirtualHost lars.timmann.de:443>

   ...
   SSLEngine On
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 
   SSLCompression off
   SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
   SSLCertificateFile    /etc/apache2/ssl/timmann.de-wildcard.pem
   SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key
   Header always set Strict-Transport-Security "max-age=31556926;"
   Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";"
   ...

</VirtualHost> </source> You need to enable the headers module in Apache. On Ubuntu just do: <syntaxhighlight lang=bash>

  1. sudo a2enmod headers

</source>

Mail

STARTTLS

with OpenSSL: <syntaxhighlight lang=bash> $ openssl s_client -starttls smtp -connect <mailserver>:<port> </source>

with GNUTLS: <syntaxhighlight lang=bash> $ gnutls-cli --crlf --starttls --port <port> <mailserver> EHLO hey <-- Send EHLO 250-<mailserver> Hello <yourhost> [<yourip>] 250-SIZE 52428800 250-8BITMIME 250-ETRN 250-PIPELINING 250-AUTH PLAIN 250-STARTTLS 250 HELP

STARTTLS <-- Send STARTTLS 220 TLS go ahead

^D <-- Send CTRL-D to begin STARTTLS handshake ... - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-256-CBC - MAC: SHA256 - Compression: NULL </source>

You can specify the security priority for the handshake like this: <syntaxhighlight lang=bash> $ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver> </source>

Or us sslscan to check the available ciphers: <syntaxhighlight lang=bash> $ sudo apt-get install sslscan $ sslscan --no-failed --starttls <mailserver>:<port> </source>

SMTPS

with OpenSSL: <syntaxhighlight lang=bash> $ openssl s_client -connect <mailserver>:465 </source>

with GNUTLS: <syntaxhighlight lang=bash> $ gnutls-cli --port 465 <mailserver> </source>