I'm trying to check a specific IIS configuration, which should reject weak SSL certificates.
How would I go about creating an SSL certificate with either RC4 or DES encryption?
I've tried using openssl with the -des flag, but it seems to still create a sha256 cert.
The choice of the symmetric cipher used in TLS (i.e. RC4, DES, AES...) does not depend on the certificate. This means that any certificate you'll create can be used together with RC4, DES, ... . Instead of trying to enforce a strong cipher using the certificate you have to do this in the server configuration. See Mozilla: Security/Server Side TLS for examples on how to configure common web servers with strong ciphers.
Related
I need a clarity for two-way SSL, if I Create Client self-sign certificate, using OpenSSL then save it in Pkcs12 file and Server self-sign certificate using Java keytool then save it in Jks file. Can both certificate work for two-way SSL?
Which TLS version openssl used?
The structure of a certificate is a standard and independent of a specific tool. This means it does not matter what tool is used to create certificates as long as it creates proper certificates. Also, the TLS protocol version used inside a connection has nothing to do with the certificate used for the connection and what tool was used to create the certificate.
I have an existing server that is using the following setting.
The connection to this site uses TLS 1.2 (a strong protocol), RSA (an
obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher).
If I want to change the key exchange and cipher, do I need to get a new certificate?
The cipher is (mostly) unrelated to the certificate. Given that you are using a RSA certificate (since otherwise RSA key exchange would not be possible) you can switch to ECDHE key exchange. And instead of AES-128-CBC you might use AES-128-GCM or AES-256. For useful configurations you might use the Mozilla SSL Configuration Generator.
We need to support 2 way SSL in our project . For this, we need to create the TLS v1.2 certificates. I am not sure how to mention the TLS version (i.e 1.2) while creating the certificate.
The certificate is independent from the TLS version. The TLS version (and ciphers) are relevant for the SSL handshake which includes the exchange of the certificate(s). The validation of the certificates is outside the SSL handshake and is thus independent from TLS version and ciphers but depends only on the certificate itself. There is a small dependency that with TLS 1.2 the acceptable signature algorithms can be send, but as long as the certificate is signed with SHA-256 (current state of the art) you are safe.
Certificates are based on x509 standard which has certificate version(Currently v3). Like Steffen explained above independent from SSL/TLS versions.
I have purchased & installed Godaddy SSL certificate. When I access the site using Chrome 24ver the https padlock shows
1) encrypted with 128-bit
2) uses TLS 1.0
3) encrypted using RC4_128 with SHA1
However I read that RC4 is not safe anymore. So my question is
1) How reliable is https connection with mentioned specs
2) How do I get AES_CBC certificate?
3) I was being told that since the server is windows hosted it cannot be upgraded to 256-bit. Is it true? If not then what should I do?
Thanks
You are mixing things up. There is no RC4 certificate or AES_CBC certificate.
You certificate is signed by a certificate authority that issued it. In your case it is Godaddy. Look for Signature Algorithm property when you open details of the certificate (i.e. doubleclick on certificate file). There will probably be something like sha1RSA or sha256RSA or something similar.
RC4 is a cipher that is negotiated when establishing SSL conection with server. It depends on both parties (client and server) witch algorithm they will use. Read more here. You can set up IIS to allow or disallow these ciphers.
I'm trying to build a simple client-server application using Netty which uses SSL certificates .
I looked around and I could only find the secure chat example [here]. It uses bogus certificates.
How to do a proper implementation of SSL certificates (self-signed) in Netty?
I would recommend against self signed certificates. It's not worth the trouble. You can get signed certificate for free from StartSSL. Check out the link below on how to convert a signed certificate into PKCS12 format and use it in SSLContext to be used with Netty.
http://blog.hintcafe.com/post/33709433256/https-server-in-java-using-netty-and-keystore