ACME (P.S.): SSL Tips and Tools

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good morning everybody and welcome back to next door netadmin I have had a Dickens of a Time coming up with something to talk about this week largely because I've been too busy at work to put any thought into things so I know I said that we were done with our Acme Deep dive and that's still true but I thought I'll do one last followup to show you guys some of the tools and handy helpers let's say that I use when I'm busy working on SSL in general certificates and such First Tool I'm going to show you is a certificate search engine and this browses the certificate transparency logs if you don't know what those are when certificate is issued many certificate authorities will register that certificate in the certificate transparency logs which are run by Third parties um Google has some of the biggest ones for example and those logs are there so that anybody can run a search on what certificates have been issued so that you can review the certificates issued for a particular domain and verify that nobody's been issued issuing certificates without your knowledge useful but the certificate search engine that I'm going to show you is also really really useful for being able to look at the structure of a certificate and being able to see visually what all information is in there so that's going to be one of the things that I show you I would also be remiss if I did not include the qualis uh SSL Labs tester and this is something that I use to review websites when I've configured them to make sure that I've got solid settings I haven't missed anything uh it's also something that I will occasionally use to examine another website that I have not had any handin configuring you can use it for troubleshooting the SSL negotiation process in addition to having a certificate one of the important parts in SSL is having a matching list of ciphers on either end and if it doesn't if there isn't a compatible match then SSL will fail because it can't negotiate a matching Cipher on both ends so using this tool will allow you to get a good idea of what ciphers are being offered by a remote site that you don't have the ability to just look at the configuration for third tool I'm going to show you will be the Mozilla SSL configuration generator this is a tool that is maintained by Mozilla makers of Firefox Thunderbird a few other products in there and it has a lot of um tweakable settings shall we say that will then output a list of recommendations recommended settings that you can put into whatever your your server software is now this is not a Windows tool this is very much for the Linux slmc folks starx I don't know why I just don't use that term so you can configure it for Apache you can configure it for engine X you can configure it for some FTP software there's a whole list and they kind of break down the settings into I think it's old intermediate and modern might be Legacy instead of old I don't remember but the long and short of it is based on which clients you're planning on supporting if you only need the most modern clients supported you can go with a modern configuration if you kind of want something that is up todate security-wise but still allows a fair number of older clients to work with your configuration then you'd go with intermediate intermediate is suggested it's what I typically go with if you have very very specific needs to support Legacy or older clients then the Legacy configuration might be what you need but it's not generally speaking as secure as intermediate modern is so you would probably want to put some additional um technological measures in there to make sure that everything works in a secure fashion the fourth tool I'm going to take a look at is a Windows tool and that is IIs crypto despite the name IIs crypto is not just for people using I the web server that comes with Windows IIs crypto is better understood as just a tool for manipulating the registry settings in Windows to do some of the same things that the Mozilla SSL configuration generator could do on a star Nix side except in Windows in order to control the availability of ciphers and other such detailed parameters you really need to use the registry doing that manually is painful so IIs crypto is a wonderful tool that you can use to set the registry to the configuration that you want these are just tips and tricks of the trade essentially so let's get started and I'll show you them to you show them to you all right this is the first tool that I said I would show you a certificate search engine also handl named such that you can pronounce this search you are going to search for certificates here crt.sh you can enter an identity typically we would use a domain name you can also enter enter a certificate fingerprint if that's what you have if we take a look at the Domain for which I issued the test certificates in the previous Acme Deep dive um you can see that we've got three different certificates here now you're looking at this and you're going I see six entries what do you mean there's three well if you'll note these are all paired we have two certificates that I issued for test and one that I issued for test two and I'm actually going to open both of these for test two so that we can see what the difference is this one is a pre certificate this one is a leaf certificate now a leaf certificate in this case is the actual end entity certificate that we're talking about um a pre- certificate on the other hand is a certificate sort of it's one that's issued in advance so that the certificate transparency logs can sign it and then when it is signed the actual signed entries from for the signed certificate timestamp get added to the actual certificate that's issued you can't get assigned timestamp without submitting something to the logs so you have a pre- certificate here but otherwise they are largely the same if you look through this you can see yeah we've got key usage for web server authentication web client authentication you can see the authority information access which gives you information on the certificate Authority and any ocsp responders you can see the subject alternative names including any other domain names that this certificate is valid for and you can see here that this is pre certificate poisoned anything that has this pre certificate poison field is not valid for actual use in an SSL negotiation but then if you go to the actual certificate like I said much the same serial number signature algorithm issuer validity this one though has the signed certificate timestamps showing that it's been submitted to Google argon it's been submitted to diger Yeti these are both uh certificate transparency logs they have included their signatures over their log IDs and then this is the actual signature from the certificate Authority this is kind of what it looks like on the back end and occasionally you can take a look at something and figure out something that's gone wrong or you can figure out other things such as hey this has a bunch of other domain names on it I wonder if those ones are configured in the same fashion speaking of configuring in the same fashion the second tool I'm going to show you is the qualis SSL laabs server test page SSL labs.com SSL test this gives you a lot of information about how a particular web server is set up and a lot of times you might choose to tick this box that says do not show the results on the boards if uh it's something that you aren't sure about how well you're doing maybe you don't want that information public maybe you don't care but when you enter a host name there and I'm actually going to choose one of these in the recent best just to save ourselves some time the actual analysis can take a few minutes and I don't want to bore you with that but when you have the test completed you'll get an overall rating you'll get a idea of how strong you are your configuration rather is in various areas but then you get to the juicy details certificate number one it's an elliptic curve certificate 384 bits it's using an sha 256 with RSA signature you can see yes it is using certificate transparency when it's valid from when it's valid until is it does it have ocsp must staple no is there a DNS CAA record no is it trusted yes okay then you'll see additional certificates because you never get just one certificate unless it's the root your web server is supposed to send the leaf certificate as well as any intermediates along along the way but not the root certificate so this is the intermediate certificate for R3 which is coming from the Internet Security research group let's encrypt and if you open the certifi certification paths this one was sent by the server this one was sent by the server the root is in the trust store already and should not generally be sent and you can check the certification paths for various operating systems and know that everything is good continuing on we see that this supports TLS 1.3 and 1.2 nothing older that's good we can see the cipher Suites that are configured for this website that's also useful and then you get into handshake simulations for various operating systems and browser combinations you can see which ones will just fail completely and you can see which ones will work very nicely and you can see this one will use TLS 1.2 with HTTP 1.1 these ones will use TLS 1.2 but they'll upgrade it to http2 because this particular website has http2 support then you've got a bunch of really old iOS versions and Safari versions that will just die completely protocol details a lot of this is good anytime you see green it's good anytime you see orange or yellow it's a warning something to look at see if you can figure it out if it's red that's definitely a security risk so as you adjust things you will be able to rerun the test and see how it goes and you would be able to rerun the test if you scroll back up to the Top If you hit clear cache it will run the test again or you could hit scan another to go back to the index page and choose a different host name to scan entirely but this gives you a lot a lot of in-depth information that you can use to troubleshoot or tune your configuration appropriately next up the Mozilla SSL configuration generator like I said lots of options to tweak here you can choose use your server software whether that's light TBD or whether that's postfix or SQL I'm sticking with Apache just for the sake of uh showing you something specific and it is modern intermediate and old like I said this should only be used as a last resort intermediate is for general purpose systems and it is recommended the server version you can actually change the version here to a different version so that you can make sure that you have the most uh secure ver uh excuse me the most upto-date version or if you're using something that has an older version of software you can get something that is compatible a little further back in time that still satisfies these particular desires ocsp stapling is a good thing to support HTTP strict Transport Security good to have and you'll get top marks for it on the SSL server test if you have it but it's important to know the consequences of checking this box if you use HTTP strict Transport Security browsers will essentially say okay I understand that the admin is telling me that it wants me to only use https and if the certificate fails verification or there is something else wrong with the site don't load it at all not even if the admin tells me to this is essentially a one-way gate and so if you you break something in your configuration and you had this set then people just won't be able to load your website or whatever software you're running whether it's a proxy whether it's a mail server whether it's a database if you have this set you got to be really careful that you know what you're doing and you're committing to never taking SSL off this site because if you take SSL off this site nobody will be able to connect to it for another six months because that's a typical duration for when how long this setting lasts so then it'll give you Snippets that you can insert into your configuration including SSL protocol you're using all of them but then you're taking out the old and insecure ones it'll give you your SSL Cipher Suite in the required naming convention if you come over here you'll notice that these all start with TLS and then have a bunch of parameters after it these ones do not start with TLS they just start with the algorithm name and they're a little different that's because these are TLS Cipher Suites and you can see the parameters there these are their open SSL names depending on your version of op SSL and so there's a little bit of translation that needs to be done there because of the different names that both protocols use for them they're the same algorithms you just need to know which name you're using for which software and then you have the uh the other parameters that are suggested in there as well what happens if you take the HTTP strict Transport Security setting off well we lost a section of our configuration this one is a rewrite that just rewrites everything from insecure to secure traffic but then this also has header always set strict Transport Security max age y da and the other thing it removed I think was protocols H2 which is odd no it still has protocols H2 I guess I'm just seeing things isn't that fun but yeah if you want to go to Modern you can see it changes a lot of things for example in modern we're also disallowing TLS version 1.2 we're not specifying any ciphers because all of the ciphers in TLS 1.3 are secure uh and there's only three of them whereas in TLS 1.2 you have to limit the ciphers available because TLS 1.2 had a lot of ciphers available some have been broken some have not so you need to manually specify which ciphers you'll want for that clear as mud cool cool let's keep going the last thing IIs crypto this is written by narac software it does update uh when necessary for new versions of Windows it can be a little slow sometimes but if you hit the the goey and download that it is just a single executable you do not need to install it you do not need to do anything specific with it it looks like this I have already used this tool to customize the SSL settings on my test server here if you loaded it up without ever having touched it before a lot of these would look like they're gray out and that just means that it's at default settings then you can check it or uncheck it however you want and you can say Okay I want these protocols I want these ciphers I want hashes key exchanges client protocols and you can also manually set your Cipher Suites move them up and down in preference select them deselect them whatever you want but there's a lot of details here so I will usually go to templates this comes built in with a few different templates you might be tempted to go for Best Practices best practices is a little out of date in my opinion or at least it has been so I will often go with PCI 4.0 if you're doing something that specifically needs to be PCI Compliant or you can even go to strict which disables TLS 1.0 and 1.1 it disables any non-forward secrecy ciphers this is what I would typically use these days myself because even though this is strict for the windows world it's actually a pretty good match to the intermediate settings that you get from the Mozilla SSL configuration generator when you have and then if you select that and hit no you don't have to hit apply yet I was almost going to tell you something wrong if you select a template here and then go back to your s Channel or Cipher Suites this is what it'll look like for just server defaults everything is just the way it normally is cool if you go to best practices then you can take a look and say oh well best practices includes TLS 1.0 and TLS 1.1 nobody's using that these days in a secure context so I wouldn't recommend you use that either that's why I'm like best practices is not best practices to me the only major differences between PCI 4.0 and strict is these additional Cipher Suites we have an as 256 128 we have a bunch of ecdhe with RSA as well as those if we go back to strict you can see that we've still got the GCM AES Suites we have a couple ecdhe RSA but only only the ones that are using GCM I'm going to switch back to PCI 4.0 for a second because you can see under PCI 4.0 you have some cbc's as well as GCM GCM stands for galwa counter mode I do not need to go that deep into the math but GCM is faster it is more performant and it is better for parallel ization CBC is cipher block chaining mode where every block of encryption relies on the previous Block in order to verify that everything's good this is reasonably secure but it relies very much on getting an unbroken stream from beginning to end because you can't decrypt anything towards the end if you don't have every single block that that came before it so for that reason it's a little more taxing there's more packets that need to be reassembled in order to decrypt the communication it's recommended these days that you stick wherever possible to gwa counter mode GCM because it can be better parallelized so that's what I have here and that's why I use strict when you hit apply that saves your changes in the registry this tool will not reboot the computer unless you have the reboot option ticked so you can apply these settings without rebooting but they will not take effect until you reboot the computer so get it the way you like it apply it then reboot the computer and you'll be using the settings that you set here and that's basically everything that I had to show you there you go we've gone through all four of the tools and tips and tricks that I had there to show you hopefully these make your work with SSL and certificates in general a little more rewarding and little easier along the way so I guess thank you very much for joining me on this PostScript to our Acme Deep dive I am your next door netadmin thank you very much for watching we'll see you later
Info
Channel: NextDoorNetAdmin
Views: 31
Rating: undefined out of 5
Keywords:
Id: xCJTO8Apdns
Channel Id: undefined
Length: 25min 29sec (1529 seconds)
Published: Mon May 06 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.