Stuff I'm Up To

Technical Ramblings

SSL 64-bit Block Size Cipher Suites Supported (SWEET32) — January 20, 2017

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Nessus reports a vulnerability because of 64-bit cipher suites and SSL Medium Strength Cipher Suites Supported (even though it shows up as strong). Windows requires the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA being disabled.

I found that adding the cipher suite to the registry didn’t work as expected. Then I found a reference that says it’s a different key based on the version of Windows. So I added both to our registry file to handle disabling it regardless.

Continue reading

Advertisements
Using NMAP for SSL/TLS Testing —

Using NMAP for SSL/TLS Testing

NMAP is a great too for port monitoring but it also has some scripting features that are really handy to find weaknesses in your SSL/TLS deployments.

You can find out details about certificate and ciphers by using the default supplied scripts.

You can use ls -l /usr/share/nmap/scripts to list what scripts are available.

Continue reading

Windows Proxy Fun & Games —
PacketFence Join Domain — January 18, 2017

PacketFence Join Domain

This has caused me a lot of frustration this morning. The new version of PacketFence (v6.4) doesn’t like the externally configured domain configuration that I was forced to use when I first set things up.

I couldn’t get packetfence to join the domain so I editted the configuration files so it was already joined to the domain. This isn’t how 6.4 works and you then have to run a script to migrate the external settings into the packetfence database configuration.

Continue reading

PacketFence Upgrade —

PacketFence Upgrade

Running the upgrade for packetfence from version 6.21 to 6.40 caused an issue during the process as freeradius failed to update.

dpkg: error processing package packetfence (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 freeradius-ldap
 freeradius-mysql
 freeradius-rest
 freeradius-redis
 packetfence
E: Sub-process /usr/bin/dpkg returned an error code (1)

This required a few changes to the freeradius install process to get it to work.

Continue reading

Linux WMI Client — January 13, 2017

Linux WMI Client

I’m trying to gather some inventory data from our Windows Servers and thought I’d try to do this from a Linux environment. There is a wmi client for Linux but doesn’t seem in active development. Looks like you have to compile it yourself.

So I downloaded it and tried to compile it on my Debian system and it failed with an error:

cd Samba/source ; \
        cp bin/winexe ../../bin ; \
        cp bin/wmic ../../bin ; \
        cp bin/shared/*async_wmi_lib.so.0* ../../lib/python
cp: cannot stat ‘bin/winexe’: No such file or directory
cp: cannot stat ‘bin/wmic’: No such file or directory
cp: cannot stat ‘bin/shared/*async_wmi_lib.so.0*’: No such file or directory
make: *** [pywmi-installed] Error 1

Bit of a Google returns the necessary fix.

Try adding compiler option -ffreestanding. It worked for me with Ubuntu 14.04 LTS.

make "CPP=gcc -E -ffreestanding"

References

https://www.aldeid.com/wiki/Wmic-linux

http://askubuntu.com/questions/473523/installing-wmic-on-ubuntu-server-12-04-lts

VMware Horizon Infrastructure Upgrade — January 4, 2017

VMware Horizon Infrastructure Upgrade

Upgrading VMware Horizon is going to be a fun task for the weekend. It means upgrading 3 connection servers, a security server, the vcenter server and the composer server. This is all so we can disable SSLv3 on the ESXi hosts they all run on.

Migration was originally planned from 5.3 to 6.2, as this is the earliest version that resolves the SSLv3 problem. But if we’re going to have to upgrade, why not go all the way to v7?

Continue reading