Browsing articles tagged with "tls - Admins Goodies"
Nov 2, 2013
tom

SSLCipherSuite – disable weak encryption, cbc cipher and md5 based algorithm

A developer recently ran a PCI Scan with TripWire against our LAMP server. They identified several issues and instructed the following to correct the issues: Problem: SSL Server Supports Weak Encryption for SSLv3, TLSv1, Solution: Add the following rule to httpd.conf SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Problem: SSL Server Supports CBC Ciphers for SSLv3, TLSv1 Solution: Disable any cipher suites using CBC ciphers Problem: SSL Server Supports Weak MAC Algorithm for SSLv3, TLSv1 Solution: Disable any cipher suites […]

Continue Reading »
Oct 15, 2012
tom

CentOS openLDAP cert trust issues

# LDAPTLS_CACERTDIR=/etc/ssl/certs/ ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld ldap_start_tls: Can’t contact LDAP server (-1) additional info: TLS error -8172:Peer’s certificate issuer has been marked as not trusted by the user.# openssl s_client -connect ldap.domain.tld:636 -CApath /etc/ssl/certs <… successful tls negotiation stuff …> Compression: 1 (zlib compression) Start Time: 1349994779 Timeout : 300 (sec) Verify return code: 0 (ok) — openssl seems to think the certificate is fine, but openldap‘s libraries (pam_ldap exhibits similar behavior, which is […]

Continue Reading »
Sep 30, 2012
tom

Disable all but RC4 in apache

Our PCI compliance vendor requires that we disable all but RC4 encryption on our web server. Currently our apache config file looks like this: SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC:!aNull:!eNull:!LOW:!SSLv2 However, https://www.ssllabs.com reports the following ciphers are allowed: TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA How can I configure apache to only allow RC4? Asked by Daniel Turns out it was pretty easy. The “High” option in my original question was including the other ciphers. By reducing it to […]

Continue Reading »
Aug 13, 2012
tom

Does SSL encrypt the IP

I am building a personal server. I want to be able to access this server from anywhere, and I don’t want this server to get blocked. It is my understanding that HTTPS encrypts my traffic, but I also heard that it doesn’t completely encrypt it. I heard that if you go to a website with a domain, a DNS look-up is performed without encryption, and therefore an ISP could figure out which domain my personal […]

Continue Reading »
May 15, 2012
tom

Disable SMTP AUTH on Port 25

Due to PCI-DSS, we are required to disable plaintext authentication. We’ve achieved this by encapsulating communications between our mail server and clients with TLS on port 465. The problem lies in that port 25 must remain open and unencrypted for us to receive email from the internet, but should not allow authentication. I’ve tried disabling the AUTH command, but that breaks authentication on port 465, too. Is there a mail server or proxy that will […]

Continue Reading »
Apr 26, 2012
tom

SASL PLAIN authentication failed: another step is needed in authentication

I have one host (rhea) where I have installed a postfix to relay the emails from my home server (tronics24), which is on a DSL connection. I have generated self-signed certificates: (on rhea) touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv […]

Continue Reading »
Apr 14, 2012
tom

sasl and tls with dns load balancing

I am using DNS load balancing in my centOs 5 server.The mail sent to the load balancer server are balanced by sending them to 4 more servers who then pass the mails to their destinations in the network.The mails are generated by a Php script which gives all the mail to the load balancer server. Now i want sasl and tls authentication in the load balancer server so that i can prevent the mail server […]

Continue Reading »
Apr 13, 2012
tom

obtaining nimbuzz server certificate for nmdecrypt expert in NetMon

I’m using Network Monitor 3.4 with the nmdecrypt expert. I’m opening a nimbuzz conversation node in the conversation window and i click Expert-> nmDecrpt -> run Expert that shows up a window where i have to add the server certificate. I am not sure how to retrieve the server certificate for nimbuzz XMPP chat service. Any idea how to do this? this question is a follow up question of this one. Asked by lurscher Unless […]

Continue Reading »
Mar 4, 2012
tom

Postfix: Allow unauthenticated incoming mail, but only authenticated outgoing mail?

I’m new to the world of mail server’s and have been working on setting up my own via Postfix on Ubuntu 11.10. So far, I have SASL authentication working over TLS so that’s good; I’m worrying about security now. In short: I want Postfix to accept all unauthenticated incoming mail, but only allow authenticated outgoing mail. This also makes me wonder if I have STARTTLS and TLS support on ports 465 and 587, do I […]

Continue Reading »
Jan 23, 2012
tom

ProFTPD – Failed to retrieve directory listing while using TLS

I have problem with my ProFTPD server. When I try to connect to the server using TLS then I get timeout after MLSD command. It only happens whenI use TLS – without it it works perfectly. I checked these logs: proftpd.log – USER xxx: Login successful. tls.log – TLSv1/SSLv3 connection accepted … Protection set to Private Where could be problem please? I can provide more informations, just ask for them in comments. EDIT: Today I […]

Continue Reading »
Pages:1234567»