Recently in Security Category

Let's Encrypt Wildcard Certificate 要達到自動化設定,
必需使用 Pre Validation Hooks --manual-auth-hook 參數, 自定義 Script 去設定 TXT
可以使用的變數參考 Pre and Post Validation Hooks
主要是這兩個 CERTBOT_DOMAIN 及 CERTBOT_VALIDATION, 分別是域名及需要設定的 TXT 值
--manual-cleanup-hook 則是 Post Validation Hooks, 可把先前設定的 TXT 刪除及其他事後的動作
e.g.
certbot-auto certonly -m user@mail.com --server https://acme-v02.api.letsencrypt.org/directory \
  -d domain.com -d *.domain.com --manual --manual --preferred-challenges dns-01 \
  --manual-auth-hook /usr/local/bin/auth-hook.sh --manual-cleanup-hook /usr/local/bin/cleanup-hook.sh

Let's Encrypt 在三月中旬開放了 Wildcard Certificate
Client 端需支援 ACMEv2
certbot 需 >=0.22
certbot-auto certonly -m user@mail.com --server https://acme-v02.api.letsencrypt.org/directory -d domain.com -d *.domain.com --manual --preferred-challenges dns-01

Wildcard Certificate 只能用 DNS TXT 驗證,
流程中會出現一組 Code, 要設定到 _acme-challenge.domain.com 的 TXT 指向

OCSP

user-pic
Vote 0 Votes

瀏覽器(除了Google Chrome,註)會透過 OCSP 協定去檢查憑證是否有效
憑證中有一個欄位是 OCSP URI, 瀏覽器就透過 OCSP URI 去檢查
openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl x509 -text | grep OCSP

其 Request 透過 HTTP POST 方式傳 issuerNameHash, issuerKeyHash, serialNumber 這三個參數給 OCSP Server

Response 回應 CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }

以下說明截錄 RFC 6960
The "good" state indicates a positive response to the status inquiry.
At a minimum, this positive response indicates that no certificate
with the requested certificate serial number currently within its
validity interval is revoked. This state does not necessarily mean
that the certificate was ever issued or that the time at which the
response was produced is within the certificate's validity interval.
Response extensions may be used to convey additional information on
assertions made by the responder regarding the status of the
certificate, such as a positive statement about issuance, validity,
etc.

The "revoked" state indicates that the certificate has been revoked,
either temporarily (the revocation reason is certificateHold) or
permanently. This state MAY also be returned if the associated CA
has no record of ever having issued a certificate with the
certificate serial number in the request, using any current or
previous issuing key (referred to as a "non-issued" certificate in
this document).

The "unknown" state indicates that the responder doesn't know about
the certificate being requested, usually because the request
indicates an unrecognized issuer that is not served by this
responder.

註: Google Chrome 因考量到速度, 不使用 OCSP, 而是使用自己的機制, 使用定期更新的 Local List

AlwaysOnSSL

user-pic
Vote 0 Votes

AlwaysOnSSL
另一家免費憑證供應商, 也有提供 API, 簽發憑證有效期是一年

wmic qfe get hotfixid | findstr /c:KB4012215 /c:KB4015549 /c:KB4019264

Have result, NOT vulnerable
No result, vulnerable

dehydrated

user-pic
Vote 0 Votes

dehydrated 之前叫做 letsencrypt.sh 因為名稱違反 Let's Encrypt 的商標而改名
設定跟之前大同小異

以下範例 Document Root 在 /var/www/html, dehydrated 放在 /usr/local
cd /usr/local
git clone https://github.com/lukas2511/dehydrated
cd dehydrated
echo "yourdomain.com www.yourdomain.com" > domains.txt
mkdir -p /var/www/html/.well-known/acme-challenge # 另一個方法是設 alias (官網教的方法)
echo BASEDIR=/usr/local/dehydrated > config
echo WELLKNOWN=/var/www/html/.well-known/acme-challenge >> config
./dehydrated --register --accept-terms
./dehydrated -c

Let's Eencrypt 憑證有效期只有三個月, 到期前要再來執行 dehydrated -c
可排程每月執行, 剩餘時間要少於 30 天才會 renew, 不然只會提示 Longer than 30 days. Skipping

若機器有防火牆, 需開放以下 IP (for ACME challenge)
outbound1.letsencrypt.org 66.133.109.36
outbound2.letsencrypt.org 64.78.149.164

Apache 設定
Unmark Include conf/extra/httpd-ssl.conf in httpd.conf
conf/extra/httpd-ssl.conf 內容
SSLCertificateFile /usr/local/dehydrated/certs/yourdomain.com/cert.pem
SSLCertificateKeyFile /usr/local/dehydrated/certs/yourdomain.com/privkey.pem
SSLCertificateChainFile /usr/local/dehydrated/certs/yourdomain.com/chain.pem
SSLCACertificateFile /usr/local/dehydrated/certs/yourdomain.com/fullchain.pem

openssl s_client

user-pic
Vote 0 Votes

openssl s_client 可用來查看 HTTPS Server 的憑證
openssl s_client -connect helloworld.letsencrypt.org:443
or
openssl s_client -host helloworld.letsencrypt.org -port 443

ssh/sftp 遇到 no matching cipher found 原因是在 OpenSSH 6.7 之後,
預設移除了不安全的 Cipher, *cbc 及 arcfour*
若使用較舊的 Client, 跟 Server 沒有 matching cipher 就會無法連線

解法:
更新 Client 或啟用 Server 端不安全的 Cipher,
在 sshd_config 加入 *cbc 的支援
Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,blowfish-cbc,cast128-cbc,chacha20-poly1305@openssh.com
若還是不行, 就全加, 在 sshd_config 加入 *cbc 及 arcfour* 的支援
Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour,arcfour128,
arcfour256,blowfish-cbc,cast128-cbc,chacha20-poly1305@openssh.com

letsencrypt.sh

user-pic
Vote 0 Votes

letsencrypt.shLet's Encrypt - Free SSL/TLS Certificates (2015年底上線) 的 BASH Client, 使用非常易容易

以下範例為 letsencrypt.sh 目錄放在 /usr/local
Document Root 在 /var/www/html

cd /usr/local
git clone https://github.com/lukas2511/letsencrypt.sh
cd letsencrypt.sh
echo yourdomain.com www.yourdomain.com > domains.txt # 建立 domains.txt, 內容是你的 domain name 及 sub domain name
mkdir -p /var/www/html/.well-known/acme-challenge # challenge-response directory
cp config.sh.example config.sh
修改裡面的 WELLKNOWN=/var/www/html/.well-known/acme-challenge
執行 ./letsencrypt.sh -c

letsencrypt 憑證有效期只有三個月, 到期前要再來執行 letsencrypt.sh -c
可排程每月執行, 剩餘時間要少於 30 天才會 renew, 不然只會提示 Longer than 30 days. Skipping

如果遇到這個問題
+ ERROR: An error occurred while sending get-request to https://acme-v01.api.letsencrypt.org/directory (Status 000)
需更新 OpenSSL 的 CA

若機器有防火牆, 需開放以下 IP (for ACME challenge)
outbound1.letsencrypt.org 66.133.109.36
outbound2.letsencrypt.org 64.78.149.164

Apache 設定
Unmark Include conf/extra/httpd-ssl.conf in httpd.conf
conf/extra/httpd-ssl.conf 內容
SSLCertificateFile /usr/local/letsencrypt.sh/certs/yourdomain.com/cert.pem
SSLCertificateKeyFile /usr/local/letsencrypt.sh/certs/yourdomain.com/privkey.pem
SSLCertificateChainFile /usr/local/letsencrypt.sh/certs/yourdomain.com/chain.pem
SSLCACertificateFile /usr/local/letsencrypt.sh/certs/yourdomain.com/fullchain.pem

ref. 用 Shell Script 寫的 Let's Encrypt Client

LINE HERE Inspection

user-pic
Vote 0 Votes

LINE HERE 這支 APP 的功能是即時定位分享, 回傳位置資訊是理所當然的,
不過, 我發現它只要安裝後, 就一直持續回報位置資料, 無論你有沒有分享。
是的, 來看一下它傳了什麼資料

longitude=經度
latitude=緯度
speed=速度
time=時間
chargingBattery=是否充電
battery=電力%
奇怪的是為什麼要回傳手機電力資訊

一般的認知是要分享才會回報資料, 而事實上, LINE HERE 不管你有沒有分享,
大約每五分鐘就會回報一次資訊, 根本不尊重隱私。
LINE HERE 的 Slogan 應該要改成「讓 LINE 隨時隨地都能確認您的所在位置」

註: LINE HERE 通訊是用有加密的 https, 本文的資訊是用 MITM 的方法取得

About this Archive

This page is an archive of recent entries in the Security category.

Programming is the previous category.

Shell is the next category.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives