Stuff I'm Up To

Technical Ramblings

OpenVPN Create User Keys — March 3, 2017

OpenVPN Create User Keys

As I’d forgotten how to create a new OpenVPN user, it’s not something I do every day, I thought I put here a reminder of the process used.

To get a private key and a signed public key the easiest way is to use the Easy-RSA program that came with openvpn. Change to the directory, set the variables and run the script like this:

$ cd /etc/openvpn/easy-rsa
$ sudo source ./vars
$ sudo ./build-key-pass [USERNAME]

This creates the necessary CSR and submits it and generates the key and certificate in /etc/openvpn/easy-rsa/keys

I then wrote a script than turns the key and certificate into a single .ovpn file I can just give to the user along with the key password.

Continue reading

Diving Deeper into Windows SSL — March 2, 2017

Diving Deeper into Windows SSL

This response to a question raised some interest and I found it very interesting. I then went to investigate the keys and values on my own machine. This can also be controlled using gpedit.msc, but found it interesting to see the current entries for myself.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 Functions

While not “incorrect” Steven’s answer is incomplete.

The linked article is a very good description for how to enable and disable cipher suites like SSL 2.0 etc, but SH’s pen test comments posted are also concerned about the mode of operation of the ciphers used – specifically about removing the use of CBC (Cipher Block Chaining) and using Counter (CTR) or Galois Counter (GCM). This is not fully covered in that answer.

In order to direct how the transport security is negotiated in this more granular level, they will also need to look at the content and ordering of the Functions list. This controls the preferred order and what is acceptable when the transport security is negotiated between server/webserver and client/browser.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002  Functions

Removal of CBC modes of operation from the list would prevent their sucesful negociation, but removal of all CBC is likely to have negative impact. Adjusting this list must be done with great care as misconfiguration will prevent sucesful connections. Support for modern modes of block cipher operation such as e.g. AES-GCM are still not completely widespread (March 2016) in all clients/browsers and OS versions.

As with much of crypto, what might be appropriate for state top-secrets and what might be appropriate for information of very low confidentiality won’t always be the same. A balanced approach for information assurance is needed depending on the categorization of the specific information and not an approach like CBC is “bad” GCM is “good”.

S.H. should probably return to his/her pen testers to discuss whether their specific use of CBC modes may be acceptable for a while longer until GCM is better adopted, before testing any adjustements to the Functions list.

Tuesday, March 08, 2016 9:46 AM, Tom Hollinghurst

 

References: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a51f9574-73b0-4808-ad5f-4db081d80e6f/disable-cbc-mode-cipher-encryption-and-enable-ctr-or-gcm-cipher-mode-encryption-disable-md5-and?forum=winserversecurity

Mozilla Thunderbird Logging —
IIS HTTP to HTTPS — March 1, 2017

IIS HTTP to HTTPS

In the process of deploying an IIS web server we’d like to ensure that browsers that visit the http unencrypted page, get redirected to the https encrypted page.

By default IIS comes with a “HTTP Redirect” module but this doesn’t really do what we’re after. HTTP Redirect simply takes any request and forwards it to a specific URL. So it doesn’t care about the original host name header, URI or query string that was supplied by the browser, it just takes you to the exact URL that you specify.

To get the behaviour we’re expecting we need to install another module called “URL Rewrite”

Continue reading

OpenSSL Ciphers —

OpenSSL Ciphers

OpenSSL is a very handy tool. Both on Linux and Windows. On both you can do all kinds of conversions and creations,  but equally of use you can view cipher details that are supported.

On Linux systems OpenSSL will look for /usr/local/ssl/openssl.cnf, or on some flavours /etc/ssl/openssl.cnf or even /usr/lib/ssl/openssl.cnf and on windows it will show a warning.

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Continue reading
SSH Logon with Private Key —
Installing / Updating Webmin —

Installing / Updating Webmin

We’ve got webmin installed on a number of our Debian Linux boxes. In our environment many of these servers don’t have full and open access to the internet so aren’t capable of going out and updating from the webmin site.

To get our updates we must download the .deb file using a client system from the webmin download page and then copy it to the server using scp.

$ scp webmin_[VERSION]_all.deb [SERVER]:~/

Then just ssh onto the server and install the update using:

$ sudo dpkg -i ~/webmin_[VERSION]_all.deb
(Reading database ... 53365 files and directories currently installed.)
Preparing to replace webmin VERSION (using webmin_VERSION_all.deb) ...
Unpacking replacement webmin ...
Setting up webmin (VERSION) ...
Webmin install complete. You can now login to https://SERVER:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.

This does a straightforward update if it exists, or a new install if it doesn’t.

Teradici PCOIP MC Upgrade —

Teradici PCOIP MC Upgrade

Following the upgrade of the Management Console I noticed that none of the terminals were actually connecting to the Management Console. They connected through our 802.1x onto the production VLAN, but if you look in the console – none of them are reporting back.

So I picked one at random that I found that was online (even though the management console says it is, it might not be). I logged into the terminals web GUI and looked at the Management config.

Management > Config

Continue reading