tls
wget isn’t checking CRLs?
Just a wild theory, but wget is not checking for revoked certificates.
How did I come to this conclusion – and how did I try to verify that?
First some infos about versions – which may be rather important on that topic.
wget --version GNU Wget 1.15 built on linux-gnu. openssl version OpenSSL 1.0.1f 6 Jan 2014
Check about the current certificate, like mine here at https://www.höllrigl.at -> you’ll see a certificate from „StartCom Class 1 Primary Intermediate Server CA“ CA and a CRL at http://crl.startssl.com/crt1-crl.crl
So I’m checking about where to find the CRL and get a nice list
# dig crl.startssl.com +short www.startssl.com.edgesuite.net. a1603.g1.akamai.net. 92.122.206.27 92.122.206.10
So let’s see if we find some traffic that goes there – first I tried a ping:
# tcpdump -i eth0 host crl.startssl.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:34:23.967704 IP 192.168.3.1 > a92-122-206-10.deploy.akamaitechnologies.com: ICMP echo request, id 18687, seq 1, length 64 21:34:24.016819 IP a92-122-206-10.deploy.akamaitechnologies.com > 192.168.3.1: ICMP echo reply, id 18687, seq 1, length 64
Next thing, fetch that URL with wget
# wget https://www.höllrigl.at --2015-11-30 21:35:46-- https://www.xn--hllrigl-90a.at/ Resolving www.höllrigl.at (www.xn--hllrigl-90a.at)... 193.239.248.170, 2a04:5540:1:41::10 Connecting to www.höllrigl.at (www.xn--hllrigl-90a.at)|193.239.248.170|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.2’ [ <=> ] 29,620 --.-K/s in 0.05s 2015-11-30 21:35:48 (594 KB/s) - ‘index.html.2’ saved [29620]
Now I’d like to show to you the dumped packages in tcpdump – but there are none.
Other strong indicators are, that there only started to be a ‚–crl-file=file‘ option to wget starting with 1.16, which allows you to check your certificate against a locally stored CRL file.
openssl ciphers
Wie erzeuge ich eine sinnvolle Liste von Ciphers?
Möglichkeit 1: Schau nach, was andere tun – zum Beispiel bei bettercrypto.org
Möglichkeit 2: Erzeuge eine Liste mit openssl. Das ist auch interessant um zu erfahren was sich hinter Kürzeln wie HIGH, LOW oder EXPORT verbirgt:
$ openssl ciphers 'HIGH' ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA
Oder auch, was verbiete ich mit !RC4:
$ openssl ciphers 'RC4' ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5
Siehe dazu auch www.openssl.org
HAProxy SSL
bettercrypto.org hat das derzeit noch nicht der Anleitung.
Daher hier das Codesnippet um aktuelle Verschlüsselungsalgorithmen im HAProxy zu aktivieren und z.B.
bind 0.0.0.0:443 ssl crt /path/to/certfile.crt ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA no-sslv3