Stuff I'm Up To

Technical Ramblings

SSL/TLS as a Server Admin — February 28, 2017

SSL/TLS as a Server Admin

I’m not an encryption expert by any means. I’ve no great understanding of the mathematics involved in the encryption process and the ciphers used. What I do understand is what that means from the point of view of a server admin.

One thing to state right now is that SSL/TLS are the same thing. SSL was simply renamed TLS, but the underlying principles are the same, the mechanisms and ciphers change, but the concept is the same – and despite the change it’s still mostly referred to as SSL.

The basic process of SSL is that in order to engage in a secure conversation between systems both systems must share a level of trust with a common 3rd party.

I don’t trust you just because we can encrypt data together. I need to trust you based on a 3rd party we both trust telling me that you are who you say you are.

Continue reading

Advertisements
Updating ADFS Certificates — February 25, 2017

Updating ADFS Certificates

This wasn’t as easy as I thought it was going to be. I expected just to import the new certificate into the mmc certificate snap in and then set ADFS to use it in the ADFS Management console by choosing “Set Service Communication Certificate…”. Why would it need to be more difficult than that?

Turns out it is more difficult than that. I tried a few things to get it going with no success. The service starts up just fine, but the website at https://adfs.domain.tld remains down.

I check out event viewer and sure enough we have some pretty useless errors logged when I try to visit it.

Event ID: 15021, An error occurred while using SSL configuration for endpoint adfs.domain.tld:443.  The error status code is contained within the returned data.

Continue reading

Horizon SSL/TLS Ciphers —

Horizon SSL/TLS Ciphers

After running an SSL scan on our external facing Horizon Security Server, using Qualys’ SSLTest and receiving an A- rating, I wanted to fix that by getting at least an A. But in order to do that I needed to understand what was required to get it to an A.

The problem I faced was that I was being marked down for not supporting Perfect Forward Secrecy (PFS).

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

Continue reading

VMware Horizon logjam — February 24, 2017
Horizon Updating Certificates —

Horizon Updating Certificates

Updating certificates on the Windows hosts for Connection and Security Servers.

Import the signed SSL server certificate into the Windows local computer certificate store on the Windows Server host.

In the Certificate snap-in, import the server certificate into the Certificates (Local Computer) > Personal > Certificates folder.

Select Mark this key as exportable.

Click Next and click Finish.

For View Connection Server or Security server, add the certificate Friendly name, ‘vdm’, to the new certificate that is replacing the previous certificate. You should only have one certificate with the friendly name vdm, so make sure it’s only the most current certificate.

Right-click the new certificate and click Properties

On the General tab, in the Friendly name field, type vdm.

Click Apply and click OK.

Continue reading

Teradici PCOIP Management Console — February 23, 2017

Teradici PCOIP Management Console

When it comes to upgrading the pcoip-mc it’s a case of deploying a new OVA file into the VMware estate. This means you have to grab all the settings from your previous console and restore them into the new one.

The backup and restore process isn’t painful at all. It’s all managed in the Web GUI. But if like me, you’ve used your own certificates for the server, you’re going to need to make sure you have the current ones handy and in a form you can redeploy to the new one.

Continue reading

MySQL Enterprise — February 22, 2017
MySQL Apt-Get Update Fails —

MySQL Apt-Get Update Fails

Apt-get update fails because the PGP keys for the repository have expired.

$ sudo apt-get update

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.mysql.com jessie InRelease: The following signatures were invalid: KEYEXPIRED 1487236823 KEYEXPIRED 1487236823 KEYEXPIRED 1487236823

W: Failed to fetch http://repo.mysql.com/apt/debian/dists/jessie/InRelease

W: Some index files failed to download. They have been ignored, or old ones used instead.

Update the necessary key by adding it to your keystore

$ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5

References: https://bugs.mysql.com/bug.php?id=85029

Raspberry Echo – Alexa — February 21, 2017

Raspberry Echo – Alexa

When the Amazon Echo first came out I was looking at them in earnest, but decided I couldn’t justify the expense for something that I may lose interest in or not really make use of. A friend had an Amazon Echo Dot and combined that with a smart Lightwave RF lighting system in his new apartment I had to admit it was a very nice feature. But still I held back.

Then I discovered that you could install Alexa onto a Raspberry Pi!

As I have more than a few Raspberry Pi’s and a spare, here or there, left over from upgrading others, I thought I’d give it a go.

Continue reading

Raspbian & Realtek 8192eu WiFi — February 19, 2017

Raspbian & Realtek 8192eu WiFi

Probably the best way to get Raspbian up and running over Wifi is to use an out of the box supported Wifi adapter. But as things move on faster Wifi becomes available and not all of the USB adapters are ready to play.

One that I bought recently was one with a Realtek 8192eu chipset. This is supposed to deliver 300Mbps Wifi, but comes at the price of not being natively supported by Raspbian.

I could go install the build essentials and try to compile the driver myself. But that seems like a lot of work.

So a little digging around and I found it’s pretty straight forward to get going and it’s not a problem unique to me. Someone else has already created the necessary drivers all I need to do is install them.

Continue reading

Nessus Certificates — February 16, 2017

Nessus Certificates

In order to get your Nessus server to pass a vulnerability scan you’ll need to replace the original self-signed cert it uses for its web server. It’s easy enough to do.

Generate a CSR and a key for the server:

$ openssl req -out nessus.csr -new -newkey rsa:2048 -nodes -keyout nessus.key

Open the CSR and use that to get a certificate from your CA.

Whilst you’re there grab a copy of you CA servers public key.

Once you have the certificate (Base64 format) set about copying the key, CA certificate and your new server certificate to where they need to go.

Backup the following files first:

  • /opt/nessus/var/nessus/CA/serverkey.pem
  • /opt/nessus/com/nessus/CA/servercert.pem
  • /opt/nessus/com/nessus/CA/cacert.pem

Then replace them with your new key and pem files from your CA and restart the nessus service.

$ sudo cp ~/nessus.key /opt/nessus/var/nessus/CA/serverkey.pem
$ sudo cp ~/nessus.pem /opt/nessus/com/nessus/CA/servercert.pem
$ sudo cp ~/ca.pem /opt/nessus/com/nessus/CA/cacert.pem
$ sudo service nessusd restart

 

 

References: https://docs.tenable.com/nessus/6_5/Content/9_Additional_Resources/9_8_Custom_SSL_Certificates.htm

Strong Ciphers —