Mar 202016
 

python-lockHello World!

It’s been a while since my last post, so I’ve decided to make a magnificent one 🙂

Jokes apart, this setup took me a full sunday hence I thought to recap for future references.

The whole story started with a Python script on my Mac OS X unable to retrieve a JSON response from a specific https site, whereas the exact same script run like a champ in Kali Linux.

And to make things even more complicated, the same URL was working fine using cURL or wget on OS X!

Comparing two network packet captures, I’ve found that the issue was in the Client Hello part of the SSL handshake: the Python script was proposing a TLSv1.0 encrypted communication that the server was not available to accept. The correctly working commands and scripts were all using TLSv1.2.

This led me to discover that OS X El Capitan includes by default an old (and vulnerable) version of OpenSSL: 0.9.8zg, not supporting TLSv1.2 I needed. Consequently, also Python 2.7.10 included in El Capitan was having issues with TLS since the bundled pyOpenSSL module was linked to that OpenSSL version.

To upgrade, I did the following:

  • Upgrade OpenSSL
    Not that easy, since you have first to install latest OpenSSL via http://brew.sh install (this is the easy part, go brew update and brew install openssl).
    But then you need to rename the system openssl (/usr/bin/openssl) into something else and sudo ln -s <your brew openssl executable> /usr/bin/openssl
    Before you can do it, you need to reboot your Mac in recovery mode (CMD+R when you hear the chimes at boot), then select the Terminal from the Utilities menu and type in csrutil disable. With this command you will disable the System Integrity Protection and lowering your system security level until you reverse the change.
    Type also the command reboot to restart your machine, open a Terminal and proceed with the linking described above.
    Reboot again, access to Recovery Mode and restore the System Protection Utility with the commands:
    csrutil enable
    reboot
     
  • Upgrade Python to 2.7.11
    This is trivial… just grab your version here and install from DMG image.
  • Upgrade pyOpenSSL module to one linked with TLSv1.2 support
    It took me a while to find the right command, since you need to issue it with the proper user indication:
    pip install –upgrade pyopenssl==0.15.1 –user python

That should give you an OS X environment fully enable with upgraded OpenSSL (at the time of writing mine is 1.0.2g) and your python environment correctly supporting TLSv1.2

Happy encryption!

Jan 182010
 

Quick not to myself since everytime I spend hours in searching it again.

The command line is:

openssl x509 –req –in <path>/<certificate_request>.csr  –signkey <path-to-CA-private-cert>/CA-private-cert.pem –out <path-to-certs-repository>/signed-cert-name.pem

Hopefully next time I do not have to search it again hours and hours 😉

Naturally this command required to have created the request before, and to have correctly setup the CA… but there is documentation on the ‘Net concerning these two operations.

Feb 092009
 

Sometimes this is necessary since the server “appears” to be running (netstat -an|grep 636 returns port in LISTEN state, but the daemon behind is not operative because (for instance) the certificate has not been installed.

If this is the case, grab an openssl client and issue the following command:

openssl s_client host <address of the target host> –port 636 (this is LDAPS standard port)

If server does have valid certificate you should get answer like:

If it does not, you’ll get something like this:

image

Dec 092008
 

I’ve finally managed to get this working, so now I need to write some note in case I have to redo it in the future 🙂

This is short howto about enabling https and multiple virtual hosts on Apache 2.0.

Much of the instructions are copypasted from Debian Admin Website where I found great guide I’ve successfully followed.

First of all let’s check that we have all the needed components, or proceed to install them as follows:

Install apache2 in debian etch

#apt-get install apache2

Install openssl using the following command

#apt-get install openssl ssl-cert

Install PHP5 support for apache2 in debian etch

#apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi

Once you install apache server you need to Generate a certificate,Enable Apache SSL support and Configure your SSL options.

Generate A certificate

Generating a certificate will provide to protect the traffic exchanged between clients and your server, however it will be unsigned by a trusted certificate authority so it will generate warnings.

If you want to avoid these warning messages you need to get a trusted certificate from SSL certificate vendors.If you want to Generating an SSL certificate for Apache2 you need to use the openssl. This will ask you questions interactively then generate the certificate file appropriately.

Note:-For generating certificate you might have used the apache2-ssl-certificate command in debian sarge but in debian etch this command not available.If you want to generate certificates you need to use openssl from you command prompt Use the following command to generate certificates

#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

Now you’ll be prompted to configure the Certificate details. Answers are reflecting MY environment… yours might be different…

Generating a 1024 bit RSA private key
………………………………………….++++++
…………………………………….++++++
writing new private key to ‘/etc/apache2/apache.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]: Italy
Locality Name (eg, city) []:Milan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The RoarinPenguin Inc.
Organizational Unit Name (eg, section) []: Certification Department
Common Name (eg, YOUR name) []: The RoarinPenguin
Email Address []:roarinpenguin@roarinpenguin.com

You ahould now have our certificate ready, thus you’ll proceed in setting the proper permissions:

#chmod 600 /etc/apache2/apache.pem

By default the server will listen for incoming HTTP requests on port 80 – and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file.

Listen 443

Enable SSL Support

If you want to enable SSL support for your apache web server you need to use the following command:

#a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

Now you need to restart the apache2 server using the following command

#/etc/init.d/apache2 restart

Configuring SSL Certificate to Virtual Hosts in Apache2

First you need to edit the /etc/apache2/sites-available/default file change

NameVirtualHost *
to

NameVirtualHost *:80
NameVirtualHost *:443

Now you need to configure Virtual hosts using port 80

My apache2.conf reads the following at file end:

# Include generic snippets of statements
Include /etc/apache2/conf.d/

NameVirtualHost *:80
NameVirtualHost *:443

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
AddDefaultCharset utf-8
DefaultLanguage it
ServerAdmin
marco@rottigni.net
UseCanonicalName off
DocumentRoot /var/www
ServerName webby.rottigni.net

And my /etc/apache2/sites-available/default reads:

<VirtualHost *:80>
DocumentRoot /var/www/
ServerName
www.rottigni.net
<Directory "/var/www">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/
ServerName
www.rottigni.net
<Directory "/var/www">
allow from all
Options +Indexes
</Directory>
    SSLEngine on
    SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>

Then I’ve enabled several websites using command

a2ensite followed by site name you want to enable.

Configuration files for VirtualHosts are stored in

/etc/apache2/sites-available#

and the configuration for one of my blog reads

<VirtualHost *:80>
DocumentRoot /var/www/myblog
<Directory "/var/www/myblog">
allow from all
Options +Indexes
</Directory>
ServerName myblog.rottigni.net
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/myblog
<Directory "/var/www/myblog">
allow from all
Options +Indexes
</Directory>
ServerName myblog.rottigni.net
    SSLEngine on
    SSLCertificateFile /etc/apache2/apache.pem
</VirtualHost>

That should be everything… oh, and don’t forget to reload your Apache config:

# /etc/init.d/apache2 reload