I am trying to run a calendar server (Caldavd). I ran into trouble when I enabled SSL. I get the error:
"Unable to Connect Securely
Firefox cannot guarantee the safety of your data on localhost:8443 because it uses SSLv3, a broken security protocol."
I am running on Ubuntu 12.04, have created a self signed certificate, using openssl 1.0.2 (the latest, as far as I can tell), and have added the line
SSLProtocol All -SSLv2 -SSLv3
to my site configuration file.
I am a newbie to Apache, not a sysadmin. I understand why Firefox wants to disable SSLv3 but I don't know what else I need to do.
Verify that you have all the weak ciphers disabled. Since the server is internal use OpenSSL.
openssl s_client -connect localhost:8443 -cipher 'ALL:!RC4' -no_ssl2 -no_tls1_1 -no_tls1_2
If the connection is successful then you know the configurations worked.
How to disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
Related
SYSTEM INFORMATION
OS type and version CentOS Linux 7.5.1804
Webmin version [1.998]
Virtualmin version [7.1]
I installed a wildcard ssl certificate from Letsencrypt but in the browser when verifying the certificate it shows CN = “domain.com” not “*.domain.com”.
What do I need to do, what settings to enter in order to display the correct wildcard certificate?
Thanks!
The server is not properly configured. TLS works with IPv4 for both 2much.info and bauhaus.2much.info. For IPv6 though there is no address with 2much.info but there is one for bauhaus.2much.info. Only, TLS is not enabled here, it returns instead plain HTTP on port 443.
IPv6 capable clients will usually prefer IPv6 to IPv4. The attempt of using Opera without VPN might be done in a IPv4 environment, so the working IPv4 address is used. When using the VPN though other systems will access the target and these might be IPv6 enabled - in which case the access fails.
This can also be seen in a IPv6 capable environment. It is working with IPv4:
$ openssl s_client -connect bauhaus.2much.info:443 -4
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
But failing with IPv6
$ openssl s_client -connect bauhaus.2much.info:443 -6
CONNECTED(00000003)
140692571469632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
I have learnt about SSL and SSL certificates used on client and server side. I pretty much understand how things work and have generated server and client certificates and keys. I have studied how can I use my own CA with https in Android.
I want to setup a server where I can put the server certificate and then access it from my android device to make an emulation of what I have learnt so far.
Is there any server available where I just need to put cert and key and it will start working? I have gone through wamp and apache configuration stuff but unfortunately I am unable to make it work properly.
If you're using OpenSSL it includes a very simple server named s_server which is very useful for this kind of experimentation. Here's an example that might get you started
$ openssl s_server -key test.key -cert test.crt -accept 8443 -WWW
This will serve up files in the current working directory from https://localhost:8443/
The manpage for s_server should give you all the info you need. I think you'll want the -CApath or -CAfile options if you're also experimenting with client certs.
I'm tring to set up HTTP2 with apache2, and certbot-auto, the fact is I have another working server with HTTP2+ Apache2 + with letsencrypt cert, HTTP2 is working perfectly on this server. I have this on both server :
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
I tryed to regen both dhparams key with :
openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Restart apache, same problem , server 1 is working, server 2 no.
On ssllabs.com I have with chrome, FF, ... :
Server negotiated HTTP/2 with blacklisted suite
If I test with :
openssl s_client -host 127.0.0.1 -port 443
On the working server I have :
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
On the not working server :
Server Temp Key: DH, 4096 bits
Cipher : DHE-RSA-AES128-GCM-SHA256
I know that it should be a ECDH key to work, but I don't know why it's not working as all server have exactly the same configuration !
I alway use : certbot-auto --apache -d mydomain.com to generate a cert, i work with HTTP2 on the first server, not on the second (error inadequate security, and fallback to http1.1)
Can you help me ? I want a working configuration with apache2 and SSL/HTTP2, I dont need very old browser compatibility. Or if you know a very good working tutorial to do that.
Apache 2.4.25 and open ssl 1.0.2k on both servers.
I just (re) emerged apache 2.4.25 with exactly the same compilations flags and it works now ! Maybe some cipher libs was compiled before newer openssl. I'm on gentoo.
I am running Django 1.7 with gunicorn. I am able to use https using gunicorn by passing certificate and key file as parameter.
When I validate my server by geotrust ssl tools, it says everything is fine except -
This server may be vulnerable: SSLv3 is enabled
Disable SSLv3 and use TLS 1.0 or higher.
I am new to this and not able to understand how to do this. Is this is related to machine or this is related to gunicorn?
gunicorn --ssl-version TLSv1_2 -b 0.0.0.0:8000 project:app
This should enable TLSV1.2 in 8000 port. you can also check if TLSV1 is still active by running below command. if connection established, then target uses tlsv1
openssl s_client -connect hostname:port -tls1
You can also check for tlsv1.2:
openssl s_client -connect hostname:port -tls1_2
Replying to an old thread here, in order to disable anything but TLSv1.2+ and weak ciphers, allowing to pass SSLLabs tests
Gunicorn option --ssl-version allows to set minimal SSL version to use.
Gunicorn --ciphers allows to enable / disable cipher sets or specific ciphers.
Both options accept OpenSSL standard directives.
Good cipher lists can be found on cipherli.st
As of April 2021, in order to have a secure SSL connection according to SSLLabs, I made the following
/usr/bin/gunicorn --ssl-version=TLSv1_2 --ciphers='DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK' --certfile=/etc/pki/tls/certs/mycert.crt --keyfile=/etc/pki/tls/private/mykey.key
Warning: The singlequotes need to be removed if the commandline is to be put in a systemd unit file.
Here is my problem.
I have multiple domains hosted on one apache webserver. (Virtual Hosts)
Two of them (a.com and b.com) use ssl certificates.
I configured both with these commands:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ABC.crt
SSLCertificateKeyFile /etc/apache2/ssl/ABC.key
SSLCertificateChainFile /etc/apache2/ssl/ABC.chain.crt
SSLProtocol all -SSLv2
When i try to connect via browser (chrome, Firefox, IE) it works fine and i get the right certificate.
But on android i got an exception: No peer certificate
Then i tried to test it with this command:
openssl s_client -connect b.com:443
It returns me the certificate of the a.com.
Any suggestions what I've done wrong that i get the wrong certificate with openssl and android?
There are probably multiple hosts on the same IP address and you need to use Server Name Indication (SNI) to access this site. To you SNI with openssl s_client use the -servername option, e.g. openssl s_client -connect b.com:443 -servername a.com. As for android: according to https://developer.android.com/training/articles/security-ssl.html SNI is supported since 2.3 for HttpsURLConnection but not for Apache HTTP Client.