Encryption

From Mediawiki-1
Jump to navigation Jump to search

SSL Certificates

References:

  http://support.citrix.com/article/CTX106028 Citrix
  https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
  http://support.citrix.com/article/CTX106028
  http://www.madboa.com/geek/openssl/
  http://www.phildev.net/ssl/creating_ca.html

Formats, Encodings and Conversions

Ref: https://www.sslshopper.com/ssl-converter.html

Using OpenSSL for converting Certificate Encodings
PEM to DER openssl x509 -outform der -in certificate.pem -out certificate.der
PEM to P7B openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
PEM to PFX openssl pkcs12 -export -out certificate.pfx -in certificate.crt -inkey privateKey.key -certfile CACert.crt
PEM to PFX openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mycert.key -name "www.mycert.com"
DER to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
P7B to PFX openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
PFX to PEM openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Minting Certificates

The following commands create a Certificate Signing Request (CSR), sign it, and convert it to pkcs12 format:

openssl req -new -newkey rsa:4048 -nodes -out mycert.csr -keyout mycert.key
openssl x509 -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/ca.srl -req -in mycert.req  -out mycert.pem -days 3650
openssl pkcs12 -export -clcerts -in mycert.pem -inkey mycert.key -out mycert.p12 -name "My first Certificate"

Create a new CSR given an expired Cert and it's private Key

Ref: Renewing CA keeping original key-pair

 openssl x509 -x509toreq -signkey private.key -out newcsr.csr -in oldcert.pem

Obtain Certificate Information

 openssl x509 -noout -text -in mycert.pem

Using Configuration file with Openssl

Reference: http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certifica-authority-ca-using-openssl/

MODIFY default file /etc/sfw/openssl/openssl.cnf or create/modify local copy

CREATE CSR

 openssl req -new -config openssl.cnf -newkey rsa:2048 -out server/SPFW10.req -keyout server/SPFW10.key

SIGN CSR

 openssl ca -config openssl.cnf -days 3650 -out server/SPFW10.crt -in server/SPFW10.req
 openssl ca -config openssl.cnf -days 3650 -out server/SPFW10.crt -in server/SPFW10.req -batch -notext

CREATE intermediary CA

 openssl ca -extensions v3_ca -days 3650 -out test.crt -in test.req  -config openssl.cnf

REVOKE CERT

 openssl ca -config openssl.cnf -revoke certs/ce1aruba0001.ing-americas.com.pem

Misc other commands

 openssl req -config openssl.cnf -new -newkey rsa:2048 -out certs/test.csr -keyout certs/test.key
 openssl ca  -config openssl.cnf -days 3650 -out  certs/test.pem -in  certs/test.csr
 openssl pkcs12 -export -out certs/test.pfx -in certs/test.pem -inkey certs/test.key -name "viaclienttest"

Let's Encrypt

HowTo articles:

 https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7

CA Creation

References

 http://www.phildev.net/ssl/creating_ca.html
 https://langui.sh/2009/01/18/openssl-self-signed-ca/
 http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
 http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
 http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

Cipher Suites used in Browsers =

Disabling RC4 ciphers in Firefox

Go to about:config and search for “security.ssl3…..” and select true/false

Disabling RC4 ciphers in Chrome

As for Chrome, current 31.0.1650.57:stable, you will need to launch with:

--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

in order to disable the following four ciphers:

Spec Cipher Suite Name Key Size Description
(00,04) RSA-RC4128-MD5 128 Bit Key exchange: RSA, encryption: RC4, MAC: MD5.
(00,05) RSA-RC4128-SHA 128 Bit Key exchange: RSA, encryption: RC4, MAC: SHA1.
(c0,07) ECDHE-ECDSA-RC4 128-SHA 128 Bit Key exchange: ECDH, encryption: RC4, MAC: SHA1.
(c0,11) ECDHE-RSA-RC4128-SHA 128 Bit Key exchange: ECDH, encryption: RC4, MAC: SHA1.

Hash Algorithms

C:> certutil -hashfile VMware-vSphere-CLI-5.5.0-1549297.exe [MD5|SHA1|SHA256]

Web Server Implications

Tools

List ciphers supported by a web server

 $ nmap --script ssl-enum-ciphers -p 443 www.example.com

Check security of a web server

 https://www.ssllabs.com/ssltest

Disable weak Ciphers

Seee the "Cipher Suite Names" section in https://www.openssl.org/docs/man1.0.2/apps/ciphers.html for naming convention of cipher suites

Bluecoat SGOS =

Open ssh session and enter enable mode

 ceproxy01#conf t
 Enter configuration commands, one per line.  End with CTRL-Z.
 ceproxy01#(config)management-services
 ceproxy01#(config management-services)edit HTTPS-Console
 ceproxy01#(config HTTPS-Console)view
 Service Name:   HTTPS-Console
 Service:        HTTPS-Console
 Attributes:     <None>
 Keyring: ceproxy01.ing-americas.com
 SSL Protocol version: tlsv1.1 tlsv1.2
 CA Certificate List: <All CA Certificates>
 Cipher Suite: aes128-sha256 aes256-sha256 aes128-sha aes256-sha dhe-rsa-aes128-sha dhe-rsa-aes256-sha
 Destination IP    Port Range
 <All>             8082              Enabled
 ceproxy01#(config HTTPS-Console)attribute cipher-suite  aes128-sha256 aes256-sha256
   ok
 ceproxy01#(config HTTPS-Console)
 snproxy03>enable
 Password:
 snproxy03#conf t
 Enter configuration commands, one per line.  End with CTRL-Z.
 snproxy03#(config)ssh-console
 snproxy03#(config ssh-console)ciphers
 snproxy03#(config ssh-console)ciphers  view
   current:  chacha20-poly1305@openssh.com,aes256-ctr,blowfish-cbc,aes256-gcm@openssh.com,rijndael-cbc@lysator.liu.se,aes256-cbc                                                                                                                                                                                                              
   default:  chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,blowfish-cbc,cast128-                                                                                                              cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour,rijndael-cbc@lysator.liu.se,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc                                                      
   choices:  chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,blowfish-cbc,cast128-                                                                                                     cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour,rijndael-cbc@lysator.liu.se,aes128-cbc,aes192-cbc,aes256-cbc,3                                                                                                   des-cbc
 ceproxy01# conf t
 ceproxy01#(config)ssh-console
 ceproxy01#(config ssh-console)hmacs set hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

Netscaler Load Balancers

General advice https://www.antonvanpelt.com/make-your-netscaler-ssl-vips-more-secure-updated/

Depending on version, different approaches are needed

  • Create/modify SSL cipher suite group and use with vservers
  • Create/modify SSL profile and use with vserver
  • bind/unbind cipher groups to management service
 unbind ssl service nshttps-127.0.0.1-443 -cipherName  SSL3-RC4-MD5
 unbind ssl service nshttps-127.0.0.1-443 -cipherName  SSL3-RC4-SHA
 unbind ssl service nshttps-127.0.0.1-443 -cipherName  SSL3-DES-CBC3-SHA
 
 bind ssl service nshttps-127.0.0.1-443 -cipherName TLS1.2-AES-256-SHA256
 bind ssl service nshttps-127.0.0.1-443 -cipherName TLS1.2-AES-128-SHA256
 bind ssl service nshttps-127.0.0.1-443 -cipherName TLS1.2-DHE-RSA-AES-128-SHA256
 bind ssl service nshttps-127.0.0.1-443 -cipherName TLS1.2-DHE-RSA-AES-256-SHA256

It appears that once cipher customization is performed, a bunch of them show up in ns.conf. At that point one can disable classes of ciphers by issueing e.g.

 unbind ssl service nshttps-127.0.0.1-443 -cipherName SHA
 unbind ssl service nshttps-127.0.0.1-443 -cipherName RC4

To verify, go into a shell and run

 grep nshttp /nsconfig/ns.conf

For ssh hardening, to disable weak ciphers and macs edit sshd_config file and modify or append the lines

 Ciphers aes128-ctr,aes192-ctr,aes256-ctr
 MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Radware DDoS

AppsVision

Disable ciphers

  • open ssh shell as root and modify /etc/httpd/ssl/ssl.conf

Install new cert

  • open ssh shell as radware and run "system ssl import"
  • Notes: needed to create separate .pem files for key and cert

DefensePro

Disable ciphers

  • There's only a generic way to disable weak ciphers:
  • open ssh shell as admin and run
 manage ssl weak-ciphers

Update certificates

  • open ssh shell as admin and run commands like
 security certificate import name_cert.pem -t key -p mypasskey123
 security certificate import name_key.pem  -t certificate

Alteon

  • open ssh shell as admin
  • use menu /cfg/sys/access/https to upload new key&cert, then save the cert, and apply the running config
  • In version 29.0.1 ciphers can not be disabled for management interface - pending case update


OpenVPN

Setup tutorial:

 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04


IPSEC VPN

StrongSwan on Ubuntu

 https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2

WireGuard

 https://www.wireguard.com