1. 2018-03-19 - Elasticsearch Certificates; Tags: Elasticsearch Certificates
    Loading...

    Elasticsearch Certificates

    Since Version 6 X-Pack Security for Elasticsearch requires Node to Node encryption to secure the Elasticsearch cluster. The main reason is, that no unknown node can join the cluster and gets data by shard allocation. Since V6, V6.1 and V6.2 the tool certgen became deprecated and was replaced by certutil. My use case scenario: Created certificates with certgen for my cluster and needed to generate a new certificate for a new data node.

    Baseline

    I have in total three clusters. yosemite is my monitoring cluster.

    tan@omega:/opt/elasticsearch-6.0.0> ls -l *.yml
    -rw-r--r-- 1 elastic elastic  1152 Dec  1 12:41 prod-instances.yml
    -rw-r--r-- 1 elastic elastic   604 Dec  1 12:54 test-instances.yml
    -rw-r--r-- 1 elastic elastic   399 Nov 29 13:49 yosemite-instances.yml
    

    The YAML definition is just an input for the certificate generation.

    tan@omega:/opt/elasticsearch-6.0.0> cat yosemite-instances.yml
    instances:
      - name: "Taft Point"
        ip: "10.22.62.137"
        dns:
          - "taft-point"
          - "taft-point.cinhtau.net"
      - name: "Setinal Rock"
        ip: "10.22.63.221"
        dns:
          - "sentinal-rock"
          - "sentinal-rock.cinhtau.net"
      - name: "El Capitan"
        ip: "10.123.19.11"
        dns:
          - "el-capitan"
          - "el-capitan.cinhtau.net"
    

    certutil

    certutil basic help.

    tan@omega:/opt/elasticsearch-6.2.2> bin/x-pack/certutil --help
    Simplifies certificate creation for use with the Elastic Stack
    
    Commands
    --------
    csr - generate certificate signing requests
    cert - generate X.509 certificates and keys
    ca - generate a new local certificate authority
    
    Non-option arguments:
    command
    
    Option         Description
    ------         -----------
    -h, --help     show help
    -s, --silent   show minimal output
    -v, --verbose  show verbose output
    

    For generating a certificate:

    tan@omega:/opt/elasticsearch-6.2.2> bin/x-pack/certutil cert --help
    generate X.509 certificates and keys
    
    Option               Description
    ------               -----------
    -E <KeyValuePair>    Configure a setting
    --ca                 path to an existing ca key pair (in PKCS#12 format)
    --ca-cert            path to an existing ca certificate
    --ca-dn              distinguished name to use for the generated ca. defaults
                           to CN=Elastic Certificate Tool Autogenerated CA
    --ca-key             path to an existing ca private key
    --ca-pass            password for an existing ca private key or the generated
                           ca private key
    --days <Integer>     number of days that the generated certificates are valid
    --dns                comma separated DNS names
    -h, --help           show help
    --in                 file containing details of the instances in yaml format
    --ip                 comma separated IP addresses
    --keep-ca-key        retain the CA private key for future use
    --keysize <Integer>  size in bits of RSA keys
    --multiple           generate files for multiple instances
    --name               name of the generated certificate
    --out                path to the output file that should be produced
    --pass               password for generated private keys
    --pem                output certificates and keys in PEM format instead of
                           PKCS#12
    -s, --silent         show minimal output
    -v, --verbose        show verbose output
    

    To generate a new certificate, I assemble this command:

    bin/x-pack/certutil cert \
      --ca-cert /tmp/ca.crt --ca-key /tmp/ca.key \
      --name "machine-learning-master" \
      --ip "10.22.61.131" \
      --dns "ml-master,ml-master.cinhtau.net" \
      --pem -v
    

    Some notes:

    • ca.crt and ca.key are the preexisting root certificate authority
    • instead of the p12 format use previous pem file output

    Comments


    Leave a comment


  2. 2017-08-28 - Convert SSL certificates to different formats; Tags: Convert SSL certificates to different formats
    Loading...

    Convert SSL certificates to different formats

    OpenSSL provides the capability to read and output in various formats.

    For instance, convert from binary encoded to Base64 encoded ASCII format

    openssl x509 -inform der -in monitoring-prod.cer -out monitoring-prod.pem
    
  3. 2016-08-10 - Remove password from private ssl key; Tags: Remove password from private ssl key
    Loading...

    Remove password from private ssl key

    In the kibana.yml configuration, I setup the mandatory configuration for SSL.

    server.ssl.key: "/opt/kibana/latest/ssl/key.pem"
    server.ssl.cert: "/opt/kibana/latest/ssl/cert.pem"
    

    Kibana can’t handle private SSL certificates with passwords (key.pem).

    tail -f /var/log/kibana/error.log
    FATAL [Error: error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read]
    

    Therefore I had to remove the password in order to use existing private key. We just export the key into a new keyfile.

    openssl rsa -in key.pem -out newkey.pem
    

    The new file should contain following beginning and end:

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    
  4. 2016-08-09 - Convert private SSL key from JKS to PEM format; Tags: Convert private SSL key from JKS to PEM format
    Loading...

    Convert private SSL key from JKS to PEM format

    I faced the situation, that I have to create a CSR.

    In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.

    Wikipedia, 2016-08-10 To create a CSR you need a private key. My problem was there is an existing key stored in a java keystore (JKS). This post describes the steps how to extract it and store it as PEM format.

    The private key itself is password protected, so keep in mind that after every command I needed to enter the password.

    Check keystore contents

    vinh@omega:~/certs> keytool -list -keystore omega.jks
    Enter keystore password:
    *****************  WARNING WARNING WARNING  *****************
    * The integrity of the information stored in your keystore  *
    * has NOT been verified!  In order to verify its integrity, *
    * you must provide your keystore password.                  *
    *****************  WARNING WARNING WARNING  *****************
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    1, Jul 20, 2015, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 52:F1:B4:B3:85:84:33:28:D7:39:A1:B1:1E:76:18:FD:63:1B:05:8B
    

    Next step is to convert it to pkcs12 format, to convert it into pem format

    vinh@omega:~/certs> keytool -importkeystore -srckeystore omega.jks -destkeystore omega.p12 -deststoretype PKCS12
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias 1 successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    

    Use openssl to convert it into pem.

    vinh@omega:~/certs> openssl pkcs12 -in omega.p12 -out omega.pem
    

    Et voila:

    vinh@omega:~/certs> ll
    total 28
    -rwxrwxrw- 1 vinh vinh  2296 Jul 23  2015 ca-certs.jks
    -rwxrwxrw- 1 vinh vinh  2947 Jul 20  2015 omega.jks
    -rw-r--r-- 1 vinh vinh  3562 Aug  9 17:36 omega.p12
    -rw-r--r-- 1 vinh vinh  3562 Aug  9 17:37 omega.pem
    -rwxrwxrw- 1 vinh vinh 15426 Jan 29  2016 trust.jks
    

    EDIT: Just use the shortcut

    vinh@omega:~/certs> keytool -exportcert -rfc -file omega.pem -keystore omega.jks -alias 1
    Enter keystore password:
    Certificate stored in file <omega.pem>
    
  5. 2016-08-04 - Create a self signed certificate with openssl; Tags: Create a self signed certificate with openssl
    Loading...

    Create a self signed certificate with openssl

    Running Kibana with SSL requires a certificate. One way is to use a self signed certificate.

    Following command generates 2048 bit strong ssl certificate, valid for 365 days and without password.

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
    
    vinh@omega:~> openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
    Generating a 2048 bit RSA private key
    ..........................+++
    .............................................................+++
    writing new private key to 'key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CH
    State or Province Name (full name) []:Zuerich
    Locality Name (eg, city) [Default City]:Zuerich
    Organization Name (eg, company) [Default Company Ltd]:Seven Dwarfs AG
    Organizational Unit Name (eg, section) []:Snow-White
    Common Name (eg, your name or your server's hostname) []:goldmine
    Email Address []:admin@mydomain.ch
    
    ssl
  6. 2016-03-30 - Logging from HP NonStop to Elasticsearch cluster; Tags: Logging from HP NonStop to Elasticsearch cluster
    Loading...

    Logging from HP NonStop to Elasticsearch cluster

    This article demonstrates the fundemental milestones to get a decent log reporting on the HP NonStop to an Elasticsearch cluster. The HP NonStop itself offers with OSS an minimal Linux OS on top of the Guardian layer. Following articles involves the configuration on the HP NonStop (sending party) to the Linux Server, that runs Logstash and Elasticsearch (receiving party). We will also call the HP NonStop Tandem, for clarification.

    The scenario

    This article needs a basic understanding of Logstash and HP NonStop OSS. The circumstances are: My company has a HP NonStop (Itanium architecture). On the Tandem machine, several tomcat web applications are running and logging. Viewing the log files with tail under OSS is a pain in the .. you know where :wink: . So the basic idea is to report the log files to elasticsearch and view them with Kibana. The HP NonStop isn’t capable of running logstash (problems with JRuby), logstash-forwarder or filebeat (written in Go). There is an unofficial logstash forwarder implmentation in github. This programme was written for the IBM AIX and fits the purpose of running basic java applications on the Itanium architecture.

    Getting started

    Before we may begin we need to create self signed SSL certificates, that are essential for the logstash forwarder protocol lumberjack and the logstash input configuration. Logstash supports all certificates, including self-signed certificates. To generate a certificate, we run the following command on the Linux Server (receiving party):

    >$ openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout logstash-forwarder.key -out logstash-forwarder.crt -days 365

    This will generate a key at logstash-forwarder.key and the 1-year valid certificate at logstash-forwarder.crt. Both the server that is running logstash-forwarder as well as the logstash instances receiving logs will require these files on disk to verify the authenticity of messages. That means we have to distribute it also on the Tandem (the sending party). The logstash forwarder also needs a Java Keystore. We create a new one with the self-signed certificate

    keytool -importcert -trustcacerts -file logstash-forwarder.crt -alias ca -keystore keystore.jks
    

    The command will ask for a password, just the use the default changeit for simplicity. You may choose another password, but keep in mind to remember it.

    Configure logstash

    Logstash, that runs on the Linux Server, needs a lumberjack input configuration:

    input {
      lumberjack {
        port => 5400
        ssl_certificate => "/opt/logstash-2.2.1/logstash-forwarder.crt"
        ssl_key => "/opt/logstash-2.2.1/logstash-forwarder.key"
      }
    }
    

    We just choose the free port 5400 for simplicity. The output may be elasticsearch or for testing just stdout.

    output {
        elasticsearch {
            host => "10.24.62.120"
            protocol => "http"
            port => 9200
            index => "tandem-%{+YYYY.MM.dd}"
        }
        stdout {
            codec => rubydebug
        }
    }
    

    Of course can also apply custom filters, but for simplicity I leave it out the equation.

    The HP NonStop side

    The first obstacle under OSS is to setup the correct Java environment:

    export JAVA_HOME=/usr/tandem/java7.0
    export PATH=$PATH:$JAVA_HOME/bin
    

    Allowing programmes to use the TCP/IP stack is a special case, and had to be done:

    add_define =tcpip^process^name class=map file=\$ZKIP
    

    We assign the current OSS to the process name $ZKIP, that allows us to talk with the Linux Server on the outgoing site. You may have to replace the process name with your respective process name on your Tandem/HP NonStop. Download the latest release from above github repository and upload it to the HP NonStop.

    Configure the forwarder

    I put the SSL certificates under the same folder of the logstash-forwarder. The forwarder needs a configuration, which files he should tail and forward to. An example:

    {
       "network": {
         "servers": [ "10.24.62.120:5400" ],
         "ssl certificate": "/opt/logstash-forwarder/logstash-forwarder.crt",
         "ssl key": "/opt/logstash-forwarder/logstash-forwarder.key",
         "ssl ca": "/opt/logstash-forwarder/keystore.jks",
         "timeout": 15
       },
       "files": [
         {
           "paths": [
             "/var/dev/log/tomcat-server/-*.log"
           ],
           "fields": { "type": "logs" }
         }, {
           "paths": [
             "/var/dev/log/java/*.log"
           ],
           "fields": { "type": "logs" }
         }
       ]
     }
    

    Start the forwarder

    After that we can start the java logstash forwarder with the defined configuration:

    nohup java -jar logstash-forwarder-java-0.2.3.jar -config config > forwarder.log 2> error.log &
    

    On the receiving site or Kibana you should see the incoming messages flying in.

    Final steps

    After testing successfully the log forwarding you may configure a new pathway server to run the application automatically.

  7. 2016-03-11 - Copy contents of Java Keystore to another Keystore; Tags: Copy contents of Java Keystore to another Keystore
    Loading...

    Copy contents of Java Keystore to another Keystore

    Copy all certificates from one keystore to the keystore of the current Java installation. You can use the keytool and srckeystore (source keystore) and destkeystore (destination keystore).

    For Windows

    cd %JAVA_HOME%
    bin\keytool -importkeystore -srckeystore wildcard.keystore -srcstorepass changeit -destkeystore jre\lib\security\cacerts -deststorepass changeit
    

    For Linux

    cd $JAVA_HOME
    bin/keytool -importkeystore -srckeystore wildcard.keystore -srcstorepass changeit -destkeystore jre/lib/security/cacerts -deststorepass changeit
    
  8. 2016-03-08 - Change System Properties for SSL Handling in JBoss EAP at runtime; Tags: Change System Properties for SSL Handling in JBoss EAP at runtime
    Loading...

    Change System Properties for SSL Handling in JBoss EAP at runtime

    Working with SSL you can pass all settings as arguments, or do it in the standalone.xml/domain.xml as System Properties. The advantage is you can alter them any time instead passing them as arguments. This post demonstrates how to deal with the essential SSL properties within JBoss by using the CLI.

    >-Djavax.net.debug=ssl -Djavax.net.ssl.keyStore=clientcertificate.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=$PASS -Djavax.net.ssl.trustStore=trusted_certs.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=$PASS -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"

    Read System property

    [standalone@fo-prd02-dc1:12399 /] /system-property=javax.net.ssl.keyStore:read-resource
    {
        "outcome" => "success",
        "result" => {"value" => "/opt/six/fo/configuration/prod.jks"}
    }
    

    Change System property

    [standalone@fo-prd02-dc1:12399 /] /system-property=javax.net.ssl.keyStore:write-attribute(name=value, value="/opt/six/fo/configuration/prod_sl.jks")
    {"outcome" => "success"}
    

    Set logging and alter value

    [standalone@fo-prd02-dc1:12399 /] /system-property=javax.net.debug:add(value="ssl:handshake:verbose")
    {"outcome" => "success"}
    # Increase Logging level
    [standalone@fo-prd02-dc1:12399 /] /system-property=javax.net.debug:write-attribute(name=value, value="all")
    {"outcome" => "success"}
    

    Add System property for supported HTTPS protocols

    [standalone@fo-prd02-dc1:12399 /] /system-property=https.protocols:add(value="TLSv1,TLSv1.1,TLSv1.2")
    {"outcome" => "success"}
    
  9. 2016-03-04 - Analyse network traffic capture with Wireshark; Tags: Analyse network traffic capture with Wireshark
    Loading...

    Analyse network traffic capture with Wireshark

    Wireshark is an open source network protocol analyzer. Captures from networking traffic with Wireshark or tcpdump can easily be analyzed in the GUI. This post show how to decode TCP as SSL protocol during the SSL/TLS handshake.

    In the network traffic the ports are listed. We chose port 50100. wireshark-01 Via the context menu, we can choose Decode as. wireshark-02 I know that SSL/TLS is handled, therefore in the dialog I choose SSL. wireshark-03 After the instruction, we can investigate the SSL protocol. wireshark-04

    ssl
  10. 2016-03-04 - Import pem certificate into Java KeyStore (jks); Tags: Import pem certificate into Java KeyStore (jks)
    Loading...

    Import pem certificate into Java KeyStore (jks)

    To achieve that we convert the certificate into a binary cert that can be imported by the Java keytool.

    First, convert your certificate in a DER format : bashopenssl x509 -outform der -in certificate.pem -out certificate.der And after that, import it in the keystore : bashkeytool -import -alias your-alias -keystore cacerts -file certificate.der

  11. 2016-03-02 - Export SSL/TLS certificates with openssl; Tags: Export SSL/TLS certificates with openssl
    Loading...

    Export SSL/TLS certificates with openssl

    openssl has a handy way to extract and save certificates for further usage. Comes in handy, if you have to setup e.g. key-stores in Java. This post demonstrates how to export binary and ASCII encoded certificates.

    Binary encoded certificate

    The DER extension is used for binary DER encoded certificates data. Export it

    openssl s_client -showcerts -connect cinhtau.net:443 < /dev/null | openssl x509 -outform DER > cinhtau.der
    

    View it (output shortened)

    tan@pavilion:~$ hexdump -C cinhtau.der
    00000000  30 82 05 0f 30 82 03 f7  a0 03 02 01 02 02 12 01  |0...0...........|
    ..
    00000510  8a ed 5b                                          |..[|
    00000513
    

    ASCII encoded data

    The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored.

    openssl s_client -showcerts -connect cinhtau.net:443 < /dev/null | openssl x509 -outform PERM > derp.perm
    

    View certificate (output shortened)

    tan@pavilion:~$ cat cinhtau.perm
    -----BEGIN CERTIFICATE-----
    MIIFDzCCA/egAwIBAgISAaIBPGf27jqM0aPwVl+1rpuhMA0GCSqGSIb3DQEBCwUA
    ..
    hs9JyqagwgHMhnA9wj6xwlZZOAaL2x1I64sbXVYcOvcC1XAM422GpEb37KYoEI6V
    iu1b
    -----END CERTIFICATE-----
    
    ssl
  12. 2016-03-02 - Connecting to SSL Services with openssl; Tags: Connecting to SSL Services with openssl
    Loading...

    Connecting to SSL Services with openssl

    Currently I have to deal a lot with SSL/TLS. openssl comes in handy to test connections. Also if you have setup 2-way SSL or mutual authentication, it is a good test for the SSL handshake.

    This example just connects to my server (one way SSL - output shortened). We enforce TLSv1.2 and if you need more information, add -debug option to the command.

    tan@pavilion:~$ openssl s_client -connect cinhtau.net:443 -tls1_2
    CONNECTED(00000003)
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
     0 s:/CN=www.cinhtau.net
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFDzCCA/egAwIBAgISAaIBPGf27jqM0aPwVl+1rpuhMA0GCSqGSIb3DQEBCwUA
    ..
    hs9JyqagwgHMhnA9wj6xwlZZOAaL2x1I64sbXVYcOvcC1XAM422GpEb37KYoEI6V
    iu1b
    -----END CERTIFICATE-----
    subject=/CN=www.cinhtau.net
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3189 bytes and written 421 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: C2806D679F15EBE0F35A5EEC9BE01CB396C44D82BD9E56BC323FAE06E122F8A7
        Session-ID-ctx:
        Master-Key: 47E9D9509D9DF135E3DDB250E186A226CB336AFD0EDB314BDA12E52081AFE3261777B79875D2D3C27FA4B7ED90D8A071
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 3e ba c2 90 c1 53 95 c8-68 6a 63 17 c2 58 f1 b1   >....S..hjc..X..
        0010 - 6a 65 be 10 8f 75 c9 e6-1c 27 39 48 6c 43 81 ef   je...u...'9HlC..
        0020 - b9 c3 37 86 cc f5 80 6d-48 c0 c2 e1 e8 41 98 da   ..7....mH....A..
        0030 - 73 90 28 5d c9 d7 74 5b-1e ec 78 a6 6e fe 19 d7   s.(]..t[..x.n...
        0040 - b8 37 82 31 25 51 e5 f5-8b 3f 41 4d d9 a7 a3 ec   .7.1%Q...?AM....
        0050 - 56 ed bd 2e 81 49 2a d1-3d 75 a3 8b 41 f8 7e 0d   V....I*.=u..A.~.
        0060 - 5f 75 58 fe 62 7b a5 20-21 73 8b b6 1e 6c 05 e6   _uX.b{. !s...l..
        0070 - 4a 74 c3 3d 21 11 de 0a-8f d7 82 20 33 05 86 ec   Jt.=!...... 3...
        0080 - 19 18 58 de 40 90 4f 82-85 42 1a ec 1f 0c 22 e1   ..X.@.O..B....".
        0090 - 12 2c b2 3a 51 cd 86 71-7d a8 8d fe 9d 3c 7c 3c   .,.:Q..q}....<|<
        00a0 - 8b e6 39 ee f9 9a f9 91-83 f1 ff 14 3a 64 02 d8   ..9.........:d..
        00b0 - 1b 39 99 08 4e 8a f8 c4-ca 18 a6 61 10 b6 e3 67   .9..N......a...g
        Start Time: 1456955079
        Timeout   : 7200 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    

    After the client has connected, you can enter a HTTP command to it and you will receive the HTTP response.

    HEAD / HTTP/1.0
    HTTP/1.1 200 OK
    Date: Wed, 02 Mar 2016 21:44:41 GMT
    Server: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 OpenSSL/1.0.1k mod_wsgi/4.3.0 Python/2.7.9
    Last-Modified: Wed, 17 Jun 2015 23:03:46 GMT
    ETag: "e3-518beb40a509a"
    Accept-Ranges: bytes
    Content-Length: 227
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html
    read:errno=0
    
    ssl
  13. 2016-02-26 - Secure your FTP server with Let's Encrypt certificates; Tags: Secure your FTP server with Let's Encrypt certificates
    Loading...

    Secure your FTP server with Let's Encrypt certificates

    This post illustrates a quick setup for ProFTPD with TLS. It allows only TLSv1.2 secured connections with Let’s Encrypt certificates.

    First of all, make a backup of the existing configuration, after that edit the TLS configuration.

    root@cinhtau:~# cp /etc/proftpd/tls.conf tls.conf.example
    root@cinhtau:~# vim /etc/proftpd/tls.conf
    

    The contents of the TLS configuration

    root@cinhtau:~# cat /etc/proftpd/tls.conf
    #
    # Proftpd configuration for FTPS connections.
    #
    TLSEngine                    on
    TLSLog                       /var/log/proftpd/tls.log
    TLSProtocol                  TLSv1.2
    TLSRSACertificateFile        /etc/letsencrypt/live/cinhtau.net/cert.pem
    TLSRSACertificateKeyFile     /etc/letsencrypt/live/cinhtau.net/privkey.pem
    TLSCertificateChainFile      /etc/letsencrypt/live/cinhtau.net/chain.pem
    TLSRequired                  on
    TLSRenegotiate               none
    

    The important settings are the TLSProtocol and TLSRequired &Rarr; on. Ensure that the TLS module conf is included (uncommented)

    root@cinhtau:~# cat /etc/proftpd/proftpd.conf | grep tls
    Include /etc/proftpd/tls.conf
    

    You can restrict the access in proftpd.conf

    Order allow,deny
    Allow from 192.168.1.100
    Deny from all
    

    Restart the service and there you go.

    root@cinhtau:~# /etc/init.d/proftpd restart
    [ ok ] Restarting proftpd (via systemctl): proftpd.service.
    

    Using FileZilla will still require to accept the certificate, but you can check if it is yours :-) . FileZilla doesn’t check the CA.

    ssl
  14. 2015-06-23 - TLS, SSL and HTTPS?; Tags: TLS, SSL and HTTPS?
    Loading...

    TLS, SSL and HTTPS?

    [What’s the difference between SSL, TLS, and HTTPS?](http://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https?newreg=5a0d1d02fb244551b61b81d79f0f0753

    Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to negotiate a symmetric session key. This session key is then used to encrypt data flowing between the parties.</blockquote> Source: https://en.wikipedia.org/wiki/Transport_Layer_Security, 2015-06-23

    The important things:

    • TLS is a cryptographic protocol
    • It is used for encrypted communication
    • For communication there are two parties involved.

    If TLS, SSL or HTTPS is an essential part of your application or system and you have to guarantee the secure communication, it is wise to perform connection validation tests between you and your partners. The cause may be on your system or on your partner’s side. Either way, if you fail to communicate, it may result in a really big business problem.

    Automated connection and handshake tests help you to detect that and you are able to keep tabs on the connectivity issue.

    Example scenario: During a migration or release of a new application, no one noticed that the default version of TLS has been upgraded to v1.2 on the system. The partner side wasn’t able to handle the new TLS version and therefore no connection could be established. Without knowledge you have to find the issue. It is the application or network configuration? Nothing has changed? Panic!

    To spare you this kind of situations you need tests where you can check that quickly. Furthermore you can compare the conditions and the results with each other. If you have to keep your system and application high-available, you also have a failover system or scenario. For continuous delivery it is a necessity!

    Google’s nogotofail enables you to perform such kinds of test. Additionally it checks security issues and scenarios like MiTM (Man in the Middle attack).

    ssl
  15. 2015-06-20 - SSL server and client test; Tags: SSL server and client test
    Loading...

    SSL server and client test

    https://www.ssllabs.com/ provides a excellent detailed report about a SSL certificate. It not only checks the capability but also known vulnerabilities like Heartbleed. Another plus is that it has a simulation suite that tests the SSL handshake for several browsers or devices.

    Qualys SSL Labs also maintains a collection of tools that are helpful in understanding SSL/TLS connections. One in particular is a View My Client page, which will display information about the client connection.