Blogging Techstacks

New Doc: How To Enable SSLv2 and TLSv1.2 in OpenSSL 1.0.1c on Ubuntu 13.04

2013-05-22T09:30:00-04:00

A new HOWTO article detailing changes one needs to make in order to compile SSLv2 and TLSv1.2 client support into an Ubuntu 13.04 installation running OpenSSL 1.0.1c has been posted to the Techstacks HOW TO site: How To Enable SSLv2 and TLSv1.2 in OpenSSL 1.0.1c on Ubuntu 13.04.

New Doc: How To Enable SSLv2 Methods in Net::SSLeay

2013-05-21T13:00:00-04:00

I recently discovered that getting reliable results running cryptonark scans on an Ubuntu 13.04 box running OpenSSL 1.0.1c and Net::SSLeay 1.54 required quite a bit of manual intervention on my part but it did result in a couple of additional How To posts. The first of these posts have been published over on the Techstacks How To site: How To Enable SSLv2 Methods in Net::SSLeay.

New How To Grade Java 6 Encryption Ciphers Doc Available

2013-05-21T09:30:00-04:00

I posted Grade Encryption Ciphers in Java 6 on the How To site the other day and after posting it, I couldn't help but hope that something in it was incorrect. Let me know what you think but with the current state that SSL and TLS are in, things are pretty depressing. While writing it, I kept remembering a point Ivan Ristic had made over on the SSLLabs blog a few weeks ago in the post RC4 in TLS is broken: Now what?/p>

...for public web sites that need to support a wide user base, there is practically nothing 100% secure they can use to replace RC4. We now have no choice but to accept that, no matter what settings we use, some segment of the user base will be at risk.

Apache Tomcat 7.0.40 Released

2013-05-10T09:38:32-04:00

The Apache Tomcat team announced the release of Tomcat 7.0.40, which contains bug fixes and enhancements as well as a fix for an Information Disclosure vulnerability. See the changelog for more details and download source and binaries from a mirror near you!

Apache Tomcat 6.0.37 Released

2013-05-07T09:28:24-04:00

The Apache Tomcat team released version 6.0.37, which primarily contains bug fixes but also includes some security fixes.

One of the neat enhancements in this release is the addition of the SSLHonorCipherOrder directive, which lets the administrator pin the order that ssl encryption ciphers will be offered to ssl clients. With it, you can now configure tomcat to prioritize RC4 encryption ciphers if you're looking to do some BEAST remediation.

Another SSL-related change in this release is that you can now disable TLS Compression on the APR connector (assuming you're using a version of OpenSSL that allows you to disable TLS compression). This can help provide additional protection against the CRIME attack/vulnerability.

See the Apache Tomcat 6 Changelog for all the enhancments and fixes in this release and you can download source and binaries from a tomcat 6 mirror site.

SSL Labs Updates SSL/TLS Deployment Best Practices Doc

2013-04-28T10:25:43-04:00

Qualys SSL Labs has updated their SSL/TLS Deployment Best Practices guide to version 1.1. See a list of changes at the SSL Labs Community blog post, which links to the Best Practices PDF.

An OpenSSL Version Matrix

2013-04-26T23:41:47-04:00

Here's a basic OpenSSL version number matrix, which I compiled because I couldn't find it on the 'net earlier. It's displayed here as a simple perl hash and goes back to the May 1999 release of version 0.9.3. Versions prior to 0.9.3 utilized a different versioning scheme. It includes the openssl version number in hex from the crypto/opensslv.h header file and its corresponding version string plus the release date.


#OPENSSL VERSION NUMBER MATRIX

# Format of this hash is:
# version number in hex => Version Number - Release Date
%openssl_versions = (
    '0x00903100' => 'OpenSSL 0.9.3  - May 24 1999',
    '0x00903101' => 'OpenSSL 0.9.3a - May 29 1999', 
    '0x00904100' => 'OpenSSL 0.9.4  - Aug  9 1999',
    '0x00905100' => 'OpenSSL 0.9.5  - Feb 29 2000',
    '0x0090581f' => 'OpenSSL 0.9.5a - Apr  3 2000',
    '0x0090600f' => 'OpenSSL 0.9.6  - Sep 24 2000',
    '0x0090601f' => 'OpenSSL 0.9.6a - Apr  5 2001',
    '0x0090602f' => 'OpenSSL 0.9.6b - Jul  9 2001',
    '0x0090603f' => 'OpenSSL 0.9.6c - Dec 21 2001',
    '0x0090604f' => 'OpenSSL 0.9.6d - May 10 2002',
    '0x0090605f' => 'OpenSSL 0.9.6e - Jul 30 2002',
    '0x0090606f' => 'OpenSSL 0.9.6f - Aug  8 2002',
    '0x0090607f' => 'OpenSSL 0.9.6g - Aug  9 2002',
    '0x0090608f' => 'OpenSSL 0.9.6h - Dec  8 2002',
    '0x0090700f' => 'OpenSSL 0.9.7  - Dec 31 2002',
    '0x0090609f' => 'OpenSSL 0.9.6i - Feb 19 2003',
    '0x0090701f' => 'OpenSSL 0.9.7a - Feb 19 2003',
    '0x0090702f' => 'OpenSSL 0.9.7b - Apr 10 2003',
    '0x009060af' => 'OpenSSL 0.9.6j - Apr 10 2003',
    '0x0090703f' => 'OpenSSL 0.9.7c - Sep 30 2003',
    '0x009060bf' => 'OpenSSL 0.9.6k - Sep 30 2003',
    '0x009060cf' => 'OpenSSL 0.9.6l - Nov  4 2003',
    '0x009060df' => 'OpenSSL 0.9.6m - Mar 17 2004',
    '0x0090704f' => 'OpenSSL 0.9.7d - Mar 17 2004',
    '0x0090705F' => 'OpenSSL 0.9.7e - Oct 25 2004',
    '0x0090706F' => 'OpenSSL 0.9.7f - Mar 22 2005',
    '0x0090707f' => 'OpenSSL 0.9.7g - Apr 11 2005',
    '0x0090800f' => 'OpenSSL 0.9.8  - Jul  5 2005',
    '0x0090708f' => 'OpenSSL 0.9.7h - Oct 11 2005',
    '0x0090801f' => 'OpenSSL 0.9.8a - Oct 11 2005',
    '0x0090709f' => 'OpenSSL 0.9.7i - Oct 15 2005',
    '0x009070af' => 'OpenSSL 0.9.7j - May  4 2006',
    '0x0090802f' => 'OpenSSL 0.9.8b - May  4 2006',
    '0x009070bf' => 'OpenSSL 0.9.7k - Sep  5 2006',
    '0x0090803f' => 'OpenSSL 0.9.8c - Sep  5 2006',
    '0x009070cf' => 'OpenSSL 0.9.7l - Sep 28 2006',
    '0x0090804f' => 'OpenSSL 0.9.8d - Sep 28 2006',
    '0x009070df' => 'OpenSSL 0.9.7m - Feb 23 2007',
    '0x0090805f' => 'OpenSSL 0.9.8e - Feb 23 2007',
    '0x00908070' => 'OpenSSL 0.9.8f - Oct 11 2007',
    '0x0090807f' => 'OpenSSL 0.9.8g - Oct 19 2007',
    '0x0090808f' => 'OpenSSL 0.9.8h - May 28 2008',
    '0x0090809f' => 'OpenSSL 0.9.8i - Sep 15 2008',
    '0x009080af' => 'OpenSSL 0.9.8j - Jan  7 2009',
    '0x009080bf' => 'OpenSSL 0.9.8k - Mar 25 2009',
    '0x10000001' => 'OpenSSL 1.0.0-beta1 - Apr 1 2009',
    '0x10000002' => 'OpenSSL 1.0.0-beta2 - Apr 21 2009',
    '0x10000003' => 'OpenSSL 1.0.0-beta3 - Jul 15 2009',
    '0x009080cf' => 'OpenSSL 0.9.8l - Nov  5 2009',
    '0x10000004' => 'OpenSSL 1.0.0-beta4 - Nov 10 2009',
    '0x10000005' => 'OpenSSL 1.0.0-beta5 - Jan 20 2010',
    '0x009080d1' => 'OpenSSL 0.9.8m-beta1 - Jan 20 2010',
    '0x009080df' => 'OpenSSL 0.9.8m - Feb 25 2010',
    '0x009080ef' => 'OpenSSL 0.9.8n - Mar 24 2010',
    '0x1000000f' => 'OpenSSL 1.0.0  - Mar 29 2010',
    '0x009080ff' => 'OpenSSL 0.9.8o - Jun  1 2010',
    '0x1000001f' => 'OpenSSL 1.0.0a - Jun  1 2010',
    '0x0090810f' => 'OpenSSL 0.9.8p - Nov 16 2010',
    '0x1000002f' => 'OpenSSL 1.0.0b - Nov 16 2010',
    '0x0090811f' => 'OpenSSL 0.9.8q - Dec  2 2010',
    '0x1000003f' => 'OpenSSL 1.0.0c - Dec  2 2010',
    '0x0090812f' => 'OpenSSL 0.9.8r - Feb  8 2011',
    '0x1000004f' => 'OpenSSL 1.0.0d - Feb  8 2011',
    '0x1000005f' => 'OpenSSL 1.0.0e - Sep  6 2011',
    '0x10001001' => 'OpenSSL 1.0.1-beta1 - Jan  3 2012',
    '0x1000006f' => 'OpenSSL 1.0.0f - Jan  4 2012',
    '0x0090813f' => 'OpenSSL 0.9.8s - Jan  4 2012',
    '0x0090814f' => 'OpenSSL 0.9.8t - Jan 18 2012',
    '0x1000007f' => 'OpenSSL 1.0.0g - Jan 18 2012',
    '0x10001002' => 'OpenSSL 1.0.1-beta2 - Jan 19 2012',
    '0x10001003' => 'OpenSSL 1.0.1-beta3 - Feb 24 2012',
    '0x1000008f' => 'OpenSSL 1.0.0h - Mar 12 2012',
    '0x0090815f' => 'OpenSSL 0.9.8u - Mar 12 2012',
    '0x1000100f' => 'OpenSSL 1.0.1  - Mar 14 2012',
    '0x1000009f' => 'OpenSSL 1.0.0i - Apr 19 2012',
    '0x0090816f' => 'OpenSSL 0.9.8v - Apr 19 2012',
    '0x1000101f' => 'OpenSSL 1.0.1a - Apr 19 2012',
    '0x0090817f' => 'OpenSSL 0.9.8w - Apr 23 2012',
    '0x1000102f' => 'OpenSSL 1.0.1b - Apr 26 2012',
    '0x0090818f' => 'OpenSSL 0.9.8x - May 10 2012',
    '0x100000af' => 'OpenSSL 1.0.0j - May 10 2012',
    '0x1000103f' => 'OpenSSL 1.0.1c - May 10 2012',
    '0x0090819f' => 'OpenSSL 0.9.8y - Feb  5 2013',
    '0x100000bf' => 'OpenSSL 1.0.0k - Feb  5 2013',
    '0x1000104f' => 'OpenSSL 1.0.1d - Feb  5 2013',
    '0x1000105f' => 'OpenSSL 1.0.1e - Feb 11 2013'
);

Could Bing Be a Honeypot?

2013-04-19T21:34:19-04:00

I open a browser and go to https://www.bing.com/.

Safari on the Mac displays:

Firefox displays the following warning:

At first glance, it appears as if www.bing.com, front-ended by longtime content delivery network provider Akamai, is using a wildcard cert with multiple Subject Alernative Names but "*.bing.com" is not one of them.

But there's more. The certificate key size is only 1024 bits! Weak ciphers (< 128 bits) work! SSLv2 works!! Is this a honeypot?

Now, the discussion occurring on Hacker News regarding this issue did point out that Bing does not advertise ssl support for www.bing.com but it does support ssl on web applications under ssl.bing.com. The concern I have here is that weak ciphers work to this host and SSLv2 connections also work, (but the certificate key is 2048 bits at least). So, things aren't much better on ssl.bing.com.

There is an Introduction to iRules Book Out

2013-04-11T11:27:21-04:00

Steven Iveson has published the eBook, An Introduction to F5 Networks LTM iRules, available in Kindle Reader format on Amazon. Presently, the U.S. price is $7.99.

The 138 page book is geared towards networking professionals who are beginners with iRules and need to get a solid introduction to iRules commands, statements, tcl syntax, etc. There is supposed to be a second edition released soon that expands the topics covered in the book and the author expects that the second edition will be delivered for free to purchasers of the first edition.

Apache Tomcat 7.0.39 Released

2013-03-29T09:14:43-04:00

The Apache Tomcat team released version 7.0.39, which is mostly a bug fix release. The release announcement lists the following notable enhancements:

There have been multiple improvements in the bytes to/from characters conversion process. The core conversion process has been refactored to use the NIO APIs. This has resulted in a number of improvements including invalid UTF-8 byte sequences at the end of a series of bytes now trigger a conversion error rather than being silently swallowed. Errors detected in request URIs will be replaced with the replacement character (allowing the application to respond to the invalid URI as it wishes) and errors in request bodies will trigger an IOException. The use of the JVM provided UTF-8 decoder has been replaced by a better UTF-8 decoder derived from Apache Harmony. This improved decoder has earlier detection of error conditions and more closely follows the Unicode specification regarding the use of replacement characters.

The annotation scanning process now provides more information if the scan fails due to broken class dependencies. There is now enough information to identify the class(es) at fault. The JAR scanning process that supports annotation scanning has also seen multiple improvements and fixes including the exclusion by default of the Bootstrap class path from the scan.

Upgraded a number of Tomcat's dependencies including Commons Daemon to 1.0.14, Commons IO to 2.4 and Commons FileUpload to r1458500. A new dependency on Commons Codec was added to replace Tomcat's internal Base64 encoder/decoder.

Refer to the complete changelog for all of the fixes and enhancements in this release and you can download tomcat 7.0.39 source and binaries from a mirror near you.