SSL and TLS: Difference between revisions
m (Text replacement - "<source" to "<syntaxhighlight") |
|||
| Line 3: | Line 3: | ||
==HTTPS== | ==HTTPS== | ||
===TLSA - Record === | ===TLSA - Record === | ||
< | <syntaxhighlight lang=bash> | ||
$ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | $ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | ||
(stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac | (stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac | ||
| Line 13: | Line 13: | ||
===HSTS - HTTP Strict Transport Security=== | ===HSTS - HTTP Strict Transport Security=== | ||
< | <syntaxhighlight lang=apache> | ||
<VirtualHost <host>:443> | <VirtualHost <host>:443> | ||
... | ... | ||
| Line 22: | Line 22: | ||
You need to enable the headers module in Apache. | You need to enable the headers module in Apache. | ||
On Ubuntu just do: | On Ubuntu just do: | ||
< | <syntaxhighlight lang=bash> | ||
# sudo a2enmod headers | # sudo a2enmod headers | ||
</source> | </source> | ||
The max-age is entered in seconds: | The max-age is entered in seconds: | ||
< | <syntaxhighlight lang=bash> | ||
$ bc -l | $ bc -l | ||
31556926/(60*60*24) | 31556926/(60*60*24) | ||
| Line 49: | Line 49: | ||
The public key pins for this site are created like this: | The public key pins for this site are created like this: | ||
< | <syntaxhighlight lang=bash> | ||
# /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de | # /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de | ||
Generating RSA private key, 4096 bit long modulus | Generating RSA private key, 4096 bit long modulus | ||
| Line 64: | Line 64: | ||
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. | At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. | ||
< | <syntaxhighlight lang=apache> | ||
<VirtualHost lars.timmann.de:443> | <VirtualHost lars.timmann.de:443> | ||
... | ... | ||
| Line 80: | Line 80: | ||
You need to enable the headers module in Apache. | You need to enable the headers module in Apache. | ||
On Ubuntu just do: | On Ubuntu just do: | ||
< | <syntaxhighlight lang=bash> | ||
# sudo a2enmod headers | # sudo a2enmod headers | ||
</source> | </source> | ||
| Line 87: | Line 87: | ||
==STARTTLS== | ==STARTTLS== | ||
with OpenSSL: | with OpenSSL: | ||
< | <syntaxhighlight lang=bash> | ||
$ openssl s_client -starttls smtp -connect <mailserver>:<port> | $ openssl s_client -starttls smtp -connect <mailserver>:<port> | ||
</source> | </source> | ||
with GNUTLS: | with GNUTLS: | ||
< | <syntaxhighlight lang=bash> | ||
$ gnutls-cli --crlf --starttls --port <port> <mailserver> | $ gnutls-cli --crlf --starttls --port <port> <mailserver> | ||
EHLO hey <-- Send EHLO | EHLO hey <-- Send EHLO | ||
| Line 117: | Line 117: | ||
You can specify the security priority for the handshake like this: | You can specify the security priority for the handshake like this: | ||
< | <syntaxhighlight lang=bash> | ||
$ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver> | $ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver> | ||
</source> | </source> | ||
Or us sslscan to check the available ciphers: | Or us sslscan to check the available ciphers: | ||
< | <syntaxhighlight lang=bash> | ||
$ sudo apt-get install sslscan | $ sudo apt-get install sslscan | ||
$ sslscan --no-failed --starttls <mailserver>:<port> | $ sslscan --no-failed --starttls <mailserver>:<port> | ||
| Line 129: | Line 129: | ||
==SMTPS== | ==SMTPS== | ||
with OpenSSL: | with OpenSSL: | ||
< | <syntaxhighlight lang=bash> | ||
$ openssl s_client -connect <mailserver>:465 | $ openssl s_client -connect <mailserver>:465 | ||
</source> | </source> | ||
with GNUTLS: | with GNUTLS: | ||
< | <syntaxhighlight lang=bash> | ||
$ gnutls-cli --port 465 <mailserver> | $ gnutls-cli --port 465 <mailserver> | ||
</source> | </source> | ||
Revision as of 16:28, 25 November 2021
Web
HTTPS
TLSA - Record
<syntaxhighlight lang=bash> $ openssl s_client -connect lars.timmann.de:443 </dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 (stdin)= e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac </source>
This could be used for a tlsa record like this:
_443._tcp.lars.timmann.de. 60 IN TLSA 3 0 1 e642c89062361241dc77f3fb363c8cd0faa04d870b68a3411b8fac8c4b4581ac
HSTS - HTTP Strict Transport Security
<syntaxhighlight lang=apache> <VirtualHost <host>:443>
... Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains;" ...
</VirtualHost> </source> You need to enable the headers module in Apache. On Ubuntu just do: <syntaxhighlight lang=bash>
- sudo a2enmod headers
</source>
The max-age is entered in seconds: <syntaxhighlight lang=bash> $ bc -l 31556926/(60*60*24) 365.24219907407407407407 </souce>
So this value is a year as seconds.
What changes when we set this header and the browser understands it? The browser transforms any link on this page to https even if the link is a http link. If the secure connection cannot be established because of Certificate errors, the browser will refuse to load the page. If this header contains includeSubDomains; subdomains are treated like this as well.
Links:
HPKP - HTTP Public Key Pinning
A helpful script to create the hashes was made by Hanno Böck and is accessible at Github.
I added a create option which makes the script more comfortable for me at Github, too.
The public key pins for this site are created like this: <syntaxhighlight lang=bash>
- /etc/apache2/ssl/hpkp-gen.sh create DE Hamburg Hamburg lars.timmann.de
Generating RSA private key, 4096 bit long modulus ..................................................................................................................................................................................................................++ ..........................................................................................................................................................................................++ e is 65537 (0x10001) Generating RSA private key, 4096 bit long modulus ..................................................++ ..........................................++ e is 65537 (0x10001) Header always set Strict-Transport-Security "max-age=31556926;" Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";pin-sha256=\"O8xUszxHm+JJpRR4Pycl7LCnKjFpTY3REemrBxQZWQU=\";pin-sha256=\"UcmGe/VSm6N9ruX235yb9PEYseuo+mr2volWwx1RffE=\";" </source>
At the end you get one line for adding Strict-Transport-Security and one for Public-Key-Pins. Both in Apache format. <syntaxhighlight lang=apache> <VirtualHost lars.timmann.de:443>
... SSLEngine On SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCompression off SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCertificateFile /etc/apache2/ssl/timmann.de-wildcard.pem SSLCertificateKeyFile /etc/apache2/ssl/timmann.de.ec-key Header always set Strict-Transport-Security "max-age=31556926;" Header always set Public-Key-Pins "max-age=5184000; pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";pin-sha256=\"9f3SRITO2UNdpnurhfJGLZqcaXJBUm3WRKRIKYiPARc=\";pin-sha256=\"sEQMIUbXSCbQQAMcCH7712u+cYCjFITlUSH/C1DEGHY=\";" ...
</VirtualHost> </source> You need to enable the headers module in Apache. On Ubuntu just do: <syntaxhighlight lang=bash>
- sudo a2enmod headers
</source>
STARTTLS
with OpenSSL: <syntaxhighlight lang=bash> $ openssl s_client -starttls smtp -connect <mailserver>:<port> </source>
with GNUTLS: <syntaxhighlight lang=bash> $ gnutls-cli --crlf --starttls --port <port> <mailserver> EHLO hey <-- Send EHLO 250-<mailserver> Hello <yourhost> [<yourip>] 250-SIZE 52428800 250-8BITMIME 250-ETRN 250-PIPELINING 250-AUTH PLAIN 250-STARTTLS 250 HELP
STARTTLS <-- Send STARTTLS 220 TLS go ahead
^D <-- Send CTRL-D to begin STARTTLS handshake ... - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-256-CBC - MAC: SHA256 - Compression: NULL </source>
You can specify the security priority for the handshake like this: <syntaxhighlight lang=bash> $ gnutls-cli --crlf --starttls --priority 'SECURE256:%LATEST_RECORD_VERSION:-VERS-SSL3.0' --port <port> <mailserver> </source>
Or us sslscan to check the available ciphers: <syntaxhighlight lang=bash> $ sudo apt-get install sslscan $ sslscan --no-failed --starttls <mailserver>:<port> </source>
SMTPS
with OpenSSL: <syntaxhighlight lang=bash> $ openssl s_client -connect <mailserver>:465 </source>
with GNUTLS: <syntaxhighlight lang=bash> $ gnutls-cli --port 465 <mailserver> </source>
