Skip to content

Entries tagged "ssl".

SSL Certificate for Lighttpd HOWTO

When your customer enters your website they do not want to make their passwords / credit card information to be visible for everyone (sniffing local network or one of routers in the way). That's why SSL (Secure Socket Layer) was born. Is simple words it wraps HTTP connection in a secure tunnel.

Another story is man-in-the-middle attack possibility or faking DNS servers response. You (as customer opening the webpage) should ensure that you are connecting to website you intended to (fake bank websites are big risk for your money, so it's important). That's why certification is closely bundled with connection encryption.

I'll show you how obtain and install SSL certificate under Lighttpd web server to make your website more trustworthy for your customers.

Fitrst, create directory structure that will make organisation easier:

# mkdir -p /etc/lighttpd/ssl/domain.com
# cd /etc/lighttpd/ssl/domain.com

Create server key (you will be prompted for a password) and CSR (Certificate Signing Request) that will be used for certification creation in one step:

# openssl req -newkey rsa:2048 -keyout domain.com.key -out domain.com.csr

Remove attached password (I do not want to have to pass the password on server restart):

# openssl rsa -in domain.com.key -out domain.com.nopass.key

Then, pass generated domain.com.csr to your SSL certificate provider. You will have to prove you own the domain (an email will be sent to root@domain.com with special URL). After succesfull verification certificate is created. Place (paste) this certificate inside /etc/lighttpd/ssl/domain.com.crt file.

Then you have to create pem file (not sure why it's organised that way):

# cat domain.com.nopass.key domain.com.crt > domain.com.pem

Then you have to tell Lighttpd to handle SSL traffic for given IP address and port:

$SERVER["socket"] == "IP-ADDRESS-HERE:443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/domain.com/domain.com.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/domain.com/domain.com.crt"
}

First note: for SSL traffic you have to specify IP address, not domain name. SSL handshake is done BEFORE headers are sent to server, so name based virtual hosts are not possible (certificates must be checked first).

Second note: if you use the same domain for HTTP and HTTPS traffic don't have to specify server.document-root and other domain-related parameters. They will be borrowed from:

$HTTP["host"] = "domain.com" {
(...)

(plain HTTP) section.

Now browser redirected to https://domain.com should show you your web-application without warnings.

Happy SSL-ing!

"Secure Connection Failed" on https://forum.hibernate.org

Oops! Someone forgot to renew a SSL certificate :-)

HTTP(S) exchange analysis using Wireshark

Wireshark is a tool that allows to scan network packets and make analysis of network connection without direct access to server or client. Today we will show simple method to analyse TCP connections using this tool.

TCP connection is composed of many IP packets, connected by common strem index number. You can select particular TCP stream using Analyze / Follow TCP stream option or directly select given stream by it's index: tcp.stream eq 9 If you want track every opened connection you can check 1st packet of every TCP stream opened to particular server IP (213.75.34.114 in our example): tcp.flags.syn==1 and tcp.flags.ack==0 and ip.dst == 213.75.34.114 Note that with HTTP/1.1 things may be more complicated as this protocol supports "Persistent/Keep Alive" mode that allows multiple requests over one connection, so you may see only one packet with "tcp.flags.syn==1 and tcp.flags.ack==0". In order to scan full exchange you have to analyse protocol contents for request / response pairs.

Another complication is HTTPS (HTTP over SSL layer) - you won't be able even to count requests (if using "Keep Alive" mode). In this scenario you have to check traffic after HTTPS node or just inspect server logs.

Self-signed SSL certificate HOWTO

logo_sslSSL is used for (1) encrypting HTTP traffic and for (2) authentication server against browser's database of trusted certificates. Generating SSL certificate properly is important if you want your customer to use https properly. It costs few bugs per year, but your customers won't have any warnings in browser before SSL session (purpose number 2).

However, for internal applications, self-signed certificate may be a sufficient solution (purpose 1 only). You will find below a minimal commands to generate local SSL certificate (accept default values when asked for data on stdin): mkdir -p /etc/lighttpd/ssl/local cd /etc/lighttpd/ssl/local openssl genrsa -passout pass:1234 -des3 -out server.key 1024 openssl req -passin pass:1234 -new -key server.key -out server.csr cp server.key server.key.org openssl rsa -passin pass:1234 -in server.key.org -out server.key openssl x509 -req -in server.csr -signkey server.key -out server.crt cat server.key server.crt > server.pem Then lighttpd installation: $SERVER["socket"] == "<YOUR_IP_ADDRESS>:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/local/server.pem" ssl.ca-file = "/etc/lighttpd/ssl/local/server.crt" } Then you have to accept server certificate in your browser and voila!

Easy SSLv3 "poodle" vulnerability test (and the fix for Jboss/Tomcat)

430Recently new vulnerability ("poodle") has been discovered in SSLv3 protocol. "man in the middle" attack could be performed using protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 then exploit the "poodle" vulnerability.

In order to remove the threat from our servers we have to drop SSLv3 from negotiation list. Secured server should respond as follows: $ echo | openssl s_client -connect 192.168.1.100:80 -ssl3 2>&1 | grep Secure Secure Renegotiation IS NOT supported $ echo | openssl s_client -connect 192.168.1.100:80 -tls1 2>&1 | grep Secure Secure Renegotiation IS supported We use openssl command to open HTTPS connection and check if requested protocol could be negotiated or not.

And the fix itself (for JBoss/Tomcat service): you have to locate Connector tag responsilble for HTTPS connection and:

  • remove any SSL_* from ciphers attribute
  • limit sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

Example: <Connector port="80" protocol="HTTP/1.1" SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" maxThreads="100" scheme="https" secure="true" minSpareThreads="25" maxSpareThreads="50" keystoreFile="${jboss.server.home.dir}/conf/tm.keystore" keystorePass="MyKeyStore1" clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2" /> It will effectively block any SSLv3 connections as visible by "openssl s_client" test above.

ssls.com review

Sometimes you need to provide encrypted traffic to your site. Besides proper configuration in web server you need to authenticate your server using some publicly trusted certificates, so your customer's browser won't show warnings about untrusted site.

One of the cheapest SSL certificate solution is ssls.com. Let's check their price for 3 year lease:

694I used to pay $10 per year in the past for ComodoSSL certificates, this offer seems to cut the usual price in half. Sounds unrealistic? Let's check it!

First step is to add your purchase to the basket:

695Then you need to select payment method:

696And you proceed to account registration and the payment itself. When you complete payment you can see the following message:

697You need to:

  • pass your CSR file (I've already mentioned how to create that file)
  • then confirm you are the owner of the domain (typically by responding to special e-mail sent to administering contact of the domain)
  • and finally install you new *.crt key in the web server
  • use https://www.sslshopper.com/ssl-checker.html to check if your domain SSL config is OK

If you hit the following warning from SSL checker:

698You need to install COMODORSADomainValidationSecureServerCA.crt as ssl.ca-file (SSLCertificateChainFile). After web server restart you should see the following picture:

699And finally, manual browser test, just use https:// for your connection. Should be 100% green now.