Showing posts with label ssl. Show all posts
Showing posts with label ssl. Show all posts

Friday, 25 March 2016

How to make Firefox more secure in a few clicks

I've messing a lot with cipher suites lately and something I always do in my firefox browsers will stop all the non forward secrecy ciphers.

What Forward Secrecy does is use a second dynamic key when encrypting your traffic. So even if the bad guys break a private key on your server's certificate at the later date your traffic is encrypted by another layer.  If you don't use forward secrecy and they capture your data and find the private key it's easy to decrypt. Wireshark will do it on the fly.

So in Firefox

type about:config in the address bar



It will bring up a warning saying be careful.  Click yes you know.

In the search box below the address bar type ssl.  Look at the bottom of the list and find the ones that start security.ssl3.rsa and double click them and will change enabled to false. You should also disable anything that mentions rc4.  The ones that have dhe are good, the ones that have ecdhe are better, and the ones that have chacha20 are best but not everything supports them.




Try you websites and you might need to re-enable some if, say your bank doesn't work.  Alternatively run your bank against this site

https://www.htbridge.com/ssl/

and let them know if they don't get a good score.

at No comments:
Labels: , ,

Thursday, 16 January 2014

Certificates on Windows, AD CA etc

This relates mainly to older servers since CAs now require 2048 bit keys and I kept running into a default of 1024 I couldn't change.

 This is ripped from another blog (thanks rrustean.blogspot.com)

 snip

cretate a file called c:\cert.inf with the following content:

[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048

Now run the following:

certreq -new cert.inf outfile.req

Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.

 snip

 But that only goes half way.

 To complete things for me loading a certificate into IIS I had to change the cert.inf file..

[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Exportable = TRUE

 The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.

 Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.
at No comments:
Labels: , , , ,

Tuesday, 10 September 2013

Cisco IOS certificate handling

This is primarily for sslvpn type stuff first off.

 I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them.  All in all they rock.  Thanks startssl.com

 Importing the cert so I can use it on the router.  Seems simple but there are some gotchas.

 StartSSL give you a private key..

 -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D

yeahrightlikeimgoingtogiveyoumykey
-----END RSA PRIVATE KEY-----

and a public key

-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----

First gotcha all they guides i've seen are old and say

crypto ca import

Most new IOS use instead

crypto pki

Second big gotcha is the IOS doesn't do AES.  So see in the private key, 3rd line it has AES we need to convert that.

It's easy if you have a Mac or a Linux box.  With windows you need to install openssl.

Save your private key on your Desktop as oldkey.pem, open the terminal and type

openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3

Open the newkey.pem file and your public key and download the  CA certificate for your provider. They'll have a link in FAQs etc.

Log into the router, enable etc and go to config t.

 To be continued
at No comments:
Labels: , ,

Monday, 22 September 2008

OSX server (Postfix) and certificates...

Well, we got a certificate from Thawte for this site and it worked fine for https and imaps but kept failing for smtps.

The log kept saying can't read the .crt file in /etc/certificates/.  

Not a permissions problem. So I tried converting the file to pem etc but still no joy.

In the end the problem was the .key file which is des encrypted.  So to get OSX server to work with smtps (and possible other postfix installs) you need to leave the key exposed and remove the passkey and encryption.

openssl rsa -infile file.key -outfile outfile.key

will remove the des encryption but you need to make the permissions tight, tight, tight on that file.

Hope this saves someone some time...


at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Librewolf shows “some of LibreWolf’s security features may offer less protection on your current operating system”

I'm test driving Ubuntu after using Gentoo for years and found Librewolf gave me this warning banner. “some of LibreWolf’s security feat...