I found many useful online tools that provide SSL/TLS analysis. Is there any offline or online tool that would check if specific ciphers are safe?
Sometimes servers are not visible in internet or admin wish not to inform the rest of the world that his server is not safe enough.
I know that I can run nmap against my own server, however quick static analysis would be fine.
For example, Qualys sells this product that you need for internal scanning. If you're not going to buy anything, you can script around openssl (it wouldn't take long).
Related
I have just started out with learning WebRTC for implementing audio and video application and know there are various Public stun servers available for peer connection. But i am a bit confused can I use these Public servers for a commercial application?
Also I would like to know if there is any tutorial or guide available from where i can understand how to make and deploy my own stun or turn server if i want to create a commercial app?
Whether you can use public STUN servers for commercial applications depends entirely on the licensing/Terms of Service agreement of the operator of said servers. Peruse those if available. If not indicated otherwise, I wouldn't distinguish "commercial" use from any other use.
There are many many implementations of STUN/TURN servers available you can set up yourself on any machine you happen to have (in practice that probably means an instance on AWS, Azure or the like). Search for and pick one you like. STUN servers use relatively little resources, while TURN servers typically need powerful CPUs and fast internet connections to be useful (they must relay the entire video stream as quickly as possible).
Operating such a server yourself may become expensive, depending on your usage. Using a commercial provider for TURN servers may be the better option; personally I've had good experiences with Twilio in this regard, but do shop around for other offerings.
Is there a way to temporarily disable SNI in a modern browser?
E.g. to test a website availability for older clients. (Should one worry about them since POODLE?)
Probably the best way to test availability for older clients is to actually try out older clients. Microsoft provides VM images for browser compatibility testing at https://www.modern.ie/, which probably covers most of the desktop-based legacy clients, at least.
Another great resource for testing web site SSL/TLS compatibility in general is the Qualys SSL Server Test, which tries all the protocols and gives a simulation of what cipher suites browsers will be negotiating, as well as other useful information.
I'm not aware of any specific modern browser setting for disabling SNI specifically. Probably it'd open up a whole bunch of code paths that would need testing for not really any benefit, and support for it is probably deep within whatever library the browser is using for SSL/TLS support.
I have a low volume (<500 PDFs/year) application for automated digital-signing of PDF files using iText in Java on Linux.
I've got iText adding a digital signature to PDFs using my SSL certificate. Is this a valid method to prove the PDF was generated by my domain (e.g. server)? Can it be used somehow to get the green checkmarks showing "trust" in Adobe Reader?
If not, I should use a certificate intended for PDFs (e.g. not my SSL certificate), so that the little green checkmarks indicating "trust" appear naturally when the user opens the PDF document.
The book http://itextpdf.com/book/digitalsignatures does a great job introducing this topic to me (I have very little experience in this area).
The book talks about a SafeNet Luna device (an HSM), but's it is much too expensive. I only require a minimal solution, and the Luna has a lot of bells and whistles. The Luna PCIe device is less expensive, but I don't require any features other than providing a certificate I can use to sign. Also, the USB-based SafeNet iKey device seems only to be marketed to Windows devices. Has anyone got iKey working with Linux? Is it even possible? Do other companies offer USB based devices that work on Linux?
I'm looking for a minimal solution for serving automated digitally signed PDFs on a Linux box. I'm sure a lot of small businesses have similar needs. I'm just trying to tap into existing knowledge out there. How do people solve this problem?
The solutions I see for automating this process assume large corporations using Adobe Live Cycle, and priced accordingly (see for example: https://www.globalsign.com/pdf-signing/compare-pdf-signing.html). But small businesses need to automate things too.
Ideally someone would sell a certificate similar to the SSL certificates, but for PDF files. Is there such a thing?
Is hardware (of some sort) a requirement (seems so)? If hardware is a requirement, are there any minimal solutions out there (e.g. with limited functionality other than enabling digital signing)?
Hoping someone can help me see the forest from the trees. What's the conventional wisdom?
Regarding signing with your SSL certificate: in a future iText version, we make require that the key-usage of the certificate indicates that the certificate can be used for non-repudiation. For now, we make checking the key-usage the responsibility for the developer, but in a perfect world, you should only sign with certificates suited for non-repudiation, and your SSL certificate probably doesn't allow this.
Regarding the green check mark: unless you can ask the consumers of your PDFs to add the root certificate of your certificate to the list of trusted identities, you'll always need a public/private key stored on hardware to get a green check mark.
Regarding the price of an HSM / USB key. USB keys are much cheaper, but usually they are meant for manual use (usually they have a limit of signing only once every second). I think that GlobalSign has a flavor of keys that work on Linux. As for HSMs, one of our customers told us that he bought one from Utimaco because it was less expensive (but I don't know what budget he had or spent).
No price info, but maybe a good read for inspiration: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
I'm doing some performance analysis on an SSL-encrypted connection and I want to tease apart how much time is saved by not MACing (I still want AES-CBC however). Is there a way to disable just HMAC via the API?
You can't disable it in SSL or TLS, period, regardless of the implementation. It is a required part of the protocol. Without it the protocol wouldn't be secure.
I did a performance study a few years ago that showed that over the Internet, SSL is only 3x as slow as plaintext. I was pleasantly surprised at that.
If you want faster SSL, invest in a hardware crypto accelerator.
I am looking for a tool capable of generating multiple Xmpp connections to load-test a XMPP server with a secure connection, especially starttls.
For a xmpp plain text authentication I had used jab_simul(followed this tutorial) and tsung both with success.
But I was unable to use the tolls above for the starttls,I peeked into the code of both tools and tried different configurations of the tools.
Another option I am pondering is using a xmpp library like eXmpp and make a specific load-testing tool myself with, instead of altering jab_simul (C software with comments in language i do not understand) or altering tsung(all purpose load-testing tool, so lots of place where you can go wrong).
short-story - I am looking for a tool or advice to stress-testing/load-testing a xmpp server.
We are facing exactly the same challenge right now. After deep consideration we found out that only especially build software can deliver the load we want to test. (Remember, you can configure ejabberd to something very specific :-)
For that we developed a small library called xmpp_talker https://github.com/burinov/xmpp_talker (Apache Licence) which is a kind of xmpp client made as a gen_server. I find it is a very nice starting point to build any kind of load simulation software. There is also echo_worker example included. So, you have good base to start. At the moment xmpp_talker is suited for exmpp 0.9.7. As far as I know in a few days will be out version 1.0.0. (or 0.9.9?) There are many bug fixes (trust me you don't want to know about them). On monday I will release xmpp_talker for exmpp 0.9.8 with proper service interruption handling.
In case you deside to go the same way xmpp_talker could be useful for you.
Added: Here is also great article that is realted to the topic: https://support.process-one.net/doc/display/EXMPP/Scalable+XMPP+bots+with+erlang+and+exmpp
There's also the recently started XMPP benchmarking project called xmppench which aims to be a high-performance benchmarking tool simulating some reasonable use cases of XMPP servers. It's written in C++, based on Swiften and boost.