List ECs (elliptic curves) in Cipher suites

2021-05-24 Thread Kaushal Shriyan 
Hi,

I have shared the below mentioned Cipher suite as part of strong Cipher
Suites to be enabled on the server. The security auditor comments saying
ECs (elliptic curves) are not listed. I am not sure what it means. Please
guide with examples.

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


Thanks in Advance. I look forward to hearing from you.

Best Regards,

Kaushal

SSL Cipher suites settings in Nginx webserver

2021-05-03 Thread Kaushal Shriyan 
Hi,

I am using Lets Encrypt SSL Certificates for Nginx 1.20.00 webserver
running on CentOS Linux release 7.9.2009 (Core). I will appreciate it if
someone can guide me to set the cipher suites in the Nginx Webserver
config. I am referring to https://ssl-config.mozilla.org/. Is there a way
to verify if the below cipher suites set are accurate and are free from any
vulnerabilities?

$openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
$cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
$nginx -v
nginx version: nginx/1.20.0

ssl_ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Please guide and I look forward to hearing from you. Thanks in Advance.

Best Regards,

Kaushal

Re: ./CA.pl -newreq specify servername

2021-02-16 Thread Kaushal Shriyan 
On Tue, 16 Feb 2021 at 6:02 AM, Kaushal Shriyan 
wrote:

> Hi,
>
> I am running CentOS Linux release 7.9.2009 (Core).
>
> #rpm -qa | grep openssl
> openssl-devel-1.0.2k-21.el7_9.x86_64
> openssl-libs-1.0.2k-21.el7_9.x86_64
> openssl-1.0.2k-21.el7_9.x86_64
> openssl-perl-1.0.2k-21.el7_9.x86_64
>
> cd /etc/pki/tls/misc
> [root@basheerdevops misc]# ll
> total 64
> -rwxr-xr-x. 1 root root 5178 Dec 17 02:53 CA
> -rwxr-xr-x  1 root root 5691 Dec 17 02:53 CA.pl
> -rwxr-xr-x. 1 root root  119 Dec 17 02:53 c_hash
> -rwxr-xr-x. 1 root root  152 Dec 17 02:53 c_info
> -rwxr-xr-x. 1 root root  112 Dec 17 02:53 c_issuer
> -rwxr-xr-x. 1 root root  110 Dec 17 02:53 c_name
> -rw-r--r--  1 root root 4837 Feb 16 05:51 newcert.pem
> -rw-r--r--  1 root root 1834 Feb 16 05:49 newkey.pem
> -rw-r--r--  1 root root 1115 Feb 16 05:49 newreq.pem
> -rwxr-xr-x  1 root root 6419 Dec 17 02:53 target
>
>  #./CA.pl -newreq --> is there a way to specify server name? For example
> gitlabinternal.  By default, it saves in file *newcert.pem*
>  #./CA.pl -sign
>
> I ran the below command to copy
> #cp newcert.pem gitlabinternal.pem
> #openssl x509 -in gitlabinternal.pem -noout -text
>
> Is there a way to specify servername in ./CA.pl -newreq  command ? Please
> suggest further. Thanks in advance.
>
> Best Regards,
>
> Kaushal
>

Hi,

I will appreciate if someone can pitch in for my earlier email post to this
mailing list.

Thanks in Advance.

Best Regards,

Kaushal

./CA.pl -newreq specify servername

2021-02-15 Thread Kaushal Shriyan 
Hi,

I am running CentOS Linux release 7.9.2009 (Core).

#rpm -qa | grep openssl
openssl-devel-1.0.2k-21.el7_9.x86_64
openssl-libs-1.0.2k-21.el7_9.x86_64
openssl-1.0.2k-21.el7_9.x86_64
openssl-perl-1.0.2k-21.el7_9.x86_64

cd /etc/pki/tls/misc
[root@basheerdevops misc]# ll
total 64
-rwxr-xr-x. 1 root root 5178 Dec 17 02:53 CA
-rwxr-xr-x  1 root root 5691 Dec 17 02:53 CA.pl
-rwxr-xr-x. 1 root root  119 Dec 17 02:53 c_hash
-rwxr-xr-x. 1 root root  152 Dec 17 02:53 c_info
-rwxr-xr-x. 1 root root  112 Dec 17 02:53 c_issuer
-rwxr-xr-x. 1 root root  110 Dec 17 02:53 c_name
-rw-r--r--  1 root root 4837 Feb 16 05:51 newcert.pem
-rw-r--r--  1 root root 1834 Feb 16 05:49 newkey.pem
-rw-r--r--  1 root root 1115 Feb 16 05:49 newreq.pem
-rwxr-xr-x  1 root root 6419 Dec 17 02:53 target

 #./CA.pl -newreq --> is there a way to specify server name? For example
gitlabinternal.  By default, it saves in file *newcert.pem*
 #./CA.pl -sign

I ran the below command to copy
#cp newcert.pem gitlabinternal.pem
#openssl x509 -in gitlabinternal.pem -noout -text

Is there a way to specify servername in ./CA.pl -newreq  command ? Please
suggest further. Thanks in advance.

Best Regards,

Kaushal

Re: TLS 1.3 protocol question

2020-03-14 Thread Kaushal Shriyan 
Thank you for the clarification.

On Sun, Mar 15, 2020 at 1:23 AM Salz, Rich  wrote:

> The TLS RFC describes the “bytes on the wire” – the syntax for how client
> and server communicate, and the semantics of those exchanges.
>
>
>
> Is it a specification or standard?  Yup both.
>
>
>
> Is OpenSSL implementation of the spec?  Yup.
>
>
>
> What language used in the spec?  It’s described in the RFC; see
> “presentation language”
>
>
>

Re: TLS version 1.3 in Production servers.

2020-03-14 Thread Kaushal Shriyan 
Thanks Rich Salz for the email. Further to your email, I will appreciate it
if you can point me to suggested and recommended online books to understand
cryptography. I look forward to hearing from you. Thanks in advance.

Best Regards,

On Sat, Mar 14, 2020 at 7:13 PM Salz, Rich  wrote:

> *>* Please suggest me books or tutorials to understand OpenSSL and TLS
> cryptographic protocol in detail. I look forward to hearing from you.
> Thanks in advance.
>
>
>
> Start with the RFC’s, then look for crypto basics – there are free books
> online.
>

TLS 1.3 protocol question

2020-03-14 Thread Kaushal Shriyan 
Hi,

I have been going through RFC's regarding the TLS version 1.3 protocol. I
am curious to know does it mean that the TLS version 1.3 protocol is a
specification or standard to communicate between client and server? And
OpenSSL is a cryptography library to implement TLS version 1.3 protocol?
What is the programming language used for the specification of the TLS
version 1.3 protocol?

Please correct me if I am asking any questions which are irrelevant. Thanks
in advance and I look forward to hearing from you.

Best Regards,

Kaushal

Re: TLS version 1.3 in Production servers.

2020-03-14 Thread Kaushal Shriyan 
On Sat, Mar 14, 2020 at 6:32 PM Salz, Rich  wrote:

>
>- I am reading this article
>https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3
>
> 
>  I
>have a followup question regarding TLS version 1.3. Can we use it in
>production servers or it is good to be on TLS version 1.2? I look forward
>to hearing from you.
>
>
>
> There are no problems with the protocol; it has had extensive analysis.
> There are no known implementation bugs, but of course that doesn’t mean
> there are none.  Most browsers will use TLS 1.3 if the server supports it.
> Many big websites or providers use it.  Go ahead. It does a smidgen more
> crypto work, but client/server latency is reduced.
>
>
>
> As for TLS 1.2, it has not had as much analysis, but has no known protocol
> flaws. It is also considered safe to use.
>
>
>
> Do not use TLS 1.1, TLS 1.0 or SSL 3.
>
>
>

Thanks Rich Salz for the explanation and much appreciated. Please suggest
me books or tutorials to understand OpenSSL and TLS cryptographic protocol
in detail. I look forward to hearing from you. Thanks in advance.

Best Regards,

Kaushal

TLS version 1.3 in Production servers.

2020-03-13 Thread Kaushal Shriyan 
Hi,

I am reading this article
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3 I have a
followup question regarding TLS version 1.3. Can we use it in
production servers or it is good to be on TLS version 1.2? I look forward
to hearing from you.

Thanks in advance.

Best Regards,

Kaushal

Re: Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client

2020-03-11 Thread Kaushal Shriyan 
On Thu, Mar 12, 2020 at 1:01 AM Kyle Hamilton  wrote:

> ssl_prefer_server_ciphers on;
>
> On Wed, Mar 11, 2020, 11:58 Kaushal Shriyan 
> wrote:
>
>>
>>
>> On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
>> michael.woj...@microfocus.com> wrote:
>>
>>> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
>>> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE).
>>>
>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html
>>>
>>> --
>>>
>>>
>>> Testing server preferences
>>>  Has server cipher order? no (NOT ok)
>>>   ...
>>> No further cipher order check has been done as order is determined by
>>> the client
>>>
>>>
>>>
>> Hi Michael,
>>
>> Thanks for the email. I am not sure if i understand it completely. what
>> does the server's cipher order mean in layman's terms? Any example
>> regarding To enforce the server's cipher order, use
>> SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) |
>> SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am
>> running Nginx web server.
>>
>> I have the below settings in /etc/nginx/nginx.conf
>>
>> server {
>> listen 443 ssl;
>> ssl_protocols TLSv1.2;
>> ssl_ciphers
>> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
>> ssl_prefer_server_ciphers off;
>> }
>>
>> Please suggest. I look forward to hearing from you and thanks in advance.
>>
>> Best Regards,
>>
>> Kaushal
>>
>

Thanks Michael for the explanation and much appreciated. Thanks a lot, Kyle
for the reply.

Re: Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client

2020-03-11 Thread Kaushal Shriyan 
On Wed, Mar 11, 2020 at 6:36 PM Michael Wojcik <
michael.woj...@microfocus.com> wrote:

> To enforce the server's cipher order, use SSL_CTX_set_options(*ctx*,
> SSL_CTX_get_options(*ctx*) | SSL_OP_CIPHER_SERVER_PREFERENCE).
>
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_options.html
>
> --
>
>
> Testing server preferences
>  Has server cipher order? no (NOT ok)
>   ...
> No further cipher order check has been done as order is determined by the
> client
>
>
>
Hi Michael,

Thanks for the email. I am not sure if i understand it completely. what
does the server's cipher order mean in layman's terms? Any example
regarding To enforce the server's cipher order, use
SSL_CTX_set_options(ctx, SSL_CTX_get_options(ctx) |
SSL_OP_CIPHER_SERVER_PREFERENCE) to set it in /etc/nginx/nginx.conf. I am
running Nginx web server.

I have the below settings in /etc/nginx/nginx.conf

server {
listen 443 ssl;
ssl_protocols TLSv1.2;
ssl_ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
}

Please suggest. I look forward to hearing from you and thanks in advance.

Best Regards,

Kaushal

Re: Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client

2020-03-11 Thread Kaushal Shriyan 
On Tue, Mar 10, 2020 at 9:56 PM Kaushal Shriyan 
wrote:

> Hi,
>
> I have run the below tests
>
> ./testssl.sh gsmasslciphers.digitalapicraft.com
>> ###
>> testssl.sh   3.1dev from https://testssl.sh/dev/
>> (e0c83b2 2020-02-24 14:21:28 -- )
>>   This program is free software. Distribution and
>>  modification under GPLv2 permitted.
>>   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
>>Please file bugs @ https://testssl.sh/bugs/
>> ###
>>  Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
>>  on Kaushals-MacBook-Pro:./bin/openssl.Darwin.x86_64
>>  (built: "Feb 22 09:55:43 2019", platform: "darwin64-x86_64-cc")
>>
>>  Start 2020-03-10 21:50:25-->> 13.234.216.57:443 (
>> gsmasslciphers.digitalapicraft.com) <<--
>>  rDNS (13.234.216.57):   --
>>  Service detected:   HTTP
>>
>>  Testing protocols via sockets except NPN+ALPN
>>  SSLv2  not offered (OK)
>>  SSLv3  not offered (OK)
>>  TLS 1  not offered
>>  TLS 1.1not offered
>>  TLS 1.2offered (OK)
>>  TLS 1.3not offered and downgraded to a weaker protocol
>>  NPN/SPDY   h2, http/1.1 (advertised)
>>  ALPN/HTTP2 h2, http/1.1 (offered)
>>  Testing cipher categories
>>  NULL ciphers (no encryption)  not offered (OK)
>>  Anonymous NULL Ciphers (no authentication)not offered (OK)
>>  Export ciphers (w/o ADH+NULL) not offered (OK)
>>  LOW: 64 Bit + DES, RC[2,4] (w/o export)   not offered (OK)
>>  Triple DES Ciphers / IDEA not offered
>>  Obsolete: SEED + 128+256 Bit CBC cipher   not offered
>>  Strong encryption (AEAD ciphers)  offered (OK)
>>
>>  Testing robust (perfect) forward secrecy, (P)FS -- omitting Null
>> Authentication/Encryption, 3DES, RC4
>>  PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384
>> ECDHE-RSA-AES128-GCM-SHA256
>>  Elliptic curves offered: secp256k1 prime256v1 secp384r1 secp521r1
>>
>>  Testing server preferences
>>  Has server cipher order? no (NOT ok)
>>  Negotiated protocol  TLSv1.2
>>  Negotiated cipherECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH
>> (P-521) -- inconclusive test, matching cipher in list missing, better see
>> below
>>  Negotiated cipher per proto  (matching cipher in list missing)
>>  ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
>>  No further cipher order check has been done as order is determined by
>> the client
>>
>>  Testing server defaults (Server Hello)
>>  TLS extensions (standard)"server name/#0" "renegotiation
>> info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
>> "next protocol/#13172" "application layer protocol negotiation/#16"
>>  Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems
>> to be rotated < daily
>>  SSL Session ID support   yes
>>  Session Resumption   Tickets: yes, ID: yes
>>  TLS clock skew   Random values, no fingerprinting possible
>>  Signature Algorithm  SHA256 with RSA
>>  Server key size  RSA 2048 bits
>>  Server key usage Digital Signature, Key Encipherment
>>  Server extended key usageTLS Web Server Authentication, TLS Web
>> Client Authentication
>>  Serial / Fingerprints03C871BF68E569B4330E4AFCFA7752AAB5D7 / SHA1
>> 8874D965CB96F4A4B8B4CCAE149B6F1999399BF8
>>   SHA256
>> BB56659442E2ED18778F7BB210823F3A81DA88F3AF79D0EE2104CE82DBB03C65
>>  Common Name (CN) gsmasslciphers.digitalapicraft.com
>>  subjectAltName (SAN) gsmasslciphers.digitalapicraft.com
>>  Issuer   Let's Encrypt Authority X3 (Let's Encrypt
>> from US)
>>  Trust (hostname) Ok via SAN (same w/o SNI)
>>  Chain of trust   Ok
>>  EV cert (experimental)   no
>>  ETS/"eTLS", visibility info  not present
>>  Certificate Validity (UTC)   89 >= 30 days (2020-03-10 09:40 -->
>> 2020-06-08 09:40)
>>  # of certificates provided   2
>>  Certificate Revocation List  --
>>  OCSP URI http://ocsp.int-x3.letsencrypt.org
>>  OCSP staplingnot offered
>>  OCSP must staple extension   --
>>  DNS CAA RR (experimental)not offered
>>  Certificate

Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client

2020-03-10 Thread Kaushal Shriyan 
Hi,

I have run the below tests

./testssl.sh gsmasslciphers.digitalapicraft.com
> ###
> testssl.sh   3.1dev from https://testssl.sh/dev/
> (e0c83b2 2020-02-24 14:21:28 -- )
>   This program is free software. Distribution and
>  modification under GPLv2 permitted.
>   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
>Please file bugs @ https://testssl.sh/bugs/
> ###
>  Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
>  on Kaushals-MacBook-Pro:./bin/openssl.Darwin.x86_64
>  (built: "Feb 22 09:55:43 2019", platform: "darwin64-x86_64-cc")
>
>  Start 2020-03-10 21:50:25-->> 13.234.216.57:443 (
> gsmasslciphers.digitalapicraft.com) <<--
>  rDNS (13.234.216.57):   --
>  Service detected:   HTTP
>
>  Testing protocols via sockets except NPN+ALPN
>  SSLv2  not offered (OK)
>  SSLv3  not offered (OK)
>  TLS 1  not offered
>  TLS 1.1not offered
>  TLS 1.2offered (OK)
>  TLS 1.3not offered and downgraded to a weaker protocol
>  NPN/SPDY   h2, http/1.1 (advertised)
>  ALPN/HTTP2 h2, http/1.1 (offered)
>  Testing cipher categories
>  NULL ciphers (no encryption)  not offered (OK)
>  Anonymous NULL Ciphers (no authentication)not offered (OK)
>  Export ciphers (w/o ADH+NULL) not offered (OK)
>  LOW: 64 Bit + DES, RC[2,4] (w/o export)   not offered (OK)
>  Triple DES Ciphers / IDEA not offered
>  Obsolete: SEED + 128+256 Bit CBC cipher   not offered
>  Strong encryption (AEAD ciphers)  offered (OK)
>
>  Testing robust (perfect) forward secrecy, (P)FS -- omitting Null
> Authentication/Encryption, 3DES, RC4
>  PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384
> ECDHE-RSA-AES128-GCM-SHA256
>  Elliptic curves offered: secp256k1 prime256v1 secp384r1 secp521r1
>
>  Testing server preferences
>  Has server cipher order? no (NOT ok)
>  Negotiated protocol  TLSv1.2
>  Negotiated cipherECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH
> (P-521) -- inconclusive test, matching cipher in list missing, better see
> below
>  Negotiated cipher per proto  (matching cipher in list missing)
>  ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
>  No further cipher order check has been done as order is determined by the
> client
>
>  Testing server defaults (Server Hello)
>  TLS extensions (standard)"server name/#0" "renegotiation info/#65281"
> "EC point formats/#11" "session ticket/#35" "heartbeat/#15" "next
> protocol/#13172" "application layer protocol negotiation/#16"
>  Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems to
> be rotated < daily
>  SSL Session ID support   yes
>  Session Resumption   Tickets: yes, ID: yes
>  TLS clock skew   Random values, no fingerprinting possible
>  Signature Algorithm  SHA256 with RSA
>  Server key size  RSA 2048 bits
>  Server key usage Digital Signature, Key Encipherment
>  Server extended key usageTLS Web Server Authentication, TLS Web
> Client Authentication
>  Serial / Fingerprints03C871BF68E569B4330E4AFCFA7752AAB5D7 / SHA1
> 8874D965CB96F4A4B8B4CCAE149B6F1999399BF8
>   SHA256
> BB56659442E2ED18778F7BB210823F3A81DA88F3AF79D0EE2104CE82DBB03C65
>  Common Name (CN) gsmasslciphers.digitalapicraft.com
>  subjectAltName (SAN) gsmasslciphers.digitalapicraft.com
>  Issuer   Let's Encrypt Authority X3 (Let's Encrypt
> from US)
>  Trust (hostname) Ok via SAN (same w/o SNI)
>  Chain of trust   Ok
>  EV cert (experimental)   no
>  ETS/"eTLS", visibility info  not present
>  Certificate Validity (UTC)   89 >= 30 days (2020-03-10 09:40 -->
> 2020-06-08 09:40)
>  # of certificates provided   2
>  Certificate Revocation List  --
>  OCSP URI http://ocsp.int-x3.letsencrypt.org
>  OCSP staplingnot offered
>  OCSP must staple extension   --
>  DNS CAA RR (experimental)not offered
>  Certificate Transparency yes (certificate extension)
>
>  Testing HTTP header response @ "/"
>  HTTP Status Code 200 OK
>  HTTP clock skew  0 sec from localtime
>  Strict Transport Security730 days=63072000 s, just this domain
>  Public Key Pinning   --
>  Server bannernginx/1.16.1
>  Application banner   --
>  Cookie(s)(none issued at "/")
>  Security headers --
>  Reverse Proxy banner --
>
>  Testing vulnerabilities
>  Heartbleed (CVE-2014-0160)not vulnerable (OK), timed out
>  CCS (CVE-2014-0224)   not vulnerable (OK)
>  Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
>  ROBOT Server does not support any
> cipher suites that use RSA key

Openssl version question

2020-03-02 Thread Kaushal Shriyan 
Hi,

I am curious to know regarding *k* in 1.0.2k-fips, *d* in 1.1.1d, *l* in
1.1.0l and *u* in 1.0.2u. What does this alphabet mean?

Best Regards,

Kaushal

Suggest strong cipher suites

2020-03-02 Thread Kaushal Shriyan 
Hi,

We are using the Nginx Web server on CentOS Linux release 7.7.1908 (Core).

*OpenSSL Version*
#openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
#

*Nginx Version*
#rpm -qa | grep nginx
nginx-1.16.1-1.el7.x86_64
#

Can someone please suggest me to use strong cipher suites for SSL/TLS
encryption. Thanks in advance and I look forward to hearing from you.

Best Regards,

Kaushal

Re: [openssl-users] To disable CBC ciphers

2018-10-20 Thread Kaushal Shriyan 
On Wed, Oct 17, 2018 at 7:00 PM murugesh pitchaiah <
murugesh.pitcha...@gmail.com> wrote:

> Hi,
>
> You may list down what ciphers configured : "openssl ciphers"
> Choose CBC ciphers and add them to the list of 'ssl_ciphers' with "!"
> prefix appended to current ssl_ciphers.
>
> > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:
>
> Ref:
> https://serverfault.com/questions/692119/meaning-of-ssl-ciphers-line-on-nginx-conf
>
> Thanks,
> Murugesh P.
>
>
> On 10/17/18, Kaushal Shriyan  wrote:
> > Hi,
> >
> > I have the below ssl settings in nginx.conf file and VAPT test has
> reported
> > us to disable CBC ciphers
> >
> > ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
> >> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> >
> >
> > openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> > Linux release 7.3.1611 (Core)
> >
> > I will appreciate if someone can pitch in to help me understand to
> disable
> > CBC ciphers
> >
> > Best Regards
> >
> > Kaushal
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Thanks Murugesh. I did checked openssl ciphers
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and could not see
!AAA_CBC_BBB as mentioned in your email.

ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH:!AAA_CBC_BBB:


Correct me if i am understanding it wrong. Basically i want to disable
Cipher Block Chaining (CBC) mode cipher encryption. Openssl and OS version
are as below :-

openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
> Linux release 7.3.1611 (Core)


Any tools which i can run to find out vulnerabilities in the above openssl
and OS version? Please guide and i look forward to hearing from you. Thanks
in Advance.

Best Regards,

Kaushal
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] To disable CBC ciphers

2018-10-17 Thread Kaushal Shriyan 
Hi,

I have the below ssl settings in nginx.conf file and VAPT test has reported
us to disable CBC ciphers

ssl_ciphers HIGH:!aNULL:!MD5:!DH+3DES:!kEDH;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


openssl version on the box is OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS
Linux release 7.3.1611 (Core)

I will appreciate if someone can pitch in to help me understand to disable
CBC ciphers

Best Regards

Kaushal
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Packet capture SSL traffic

2018-07-05 Thread Kaushal Shriyan 
Hi,

Is there a way to capture SSL traffic using openssl and tcpdump or any
other utility on Linux? I look forward to hearing from you.

Best Regards,

Kaushal
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] letter 's' in s_client in openssl

2016-01-04 Thread Kaushal Shriyan 
Hi,

what does the letter 's' signify in *s_client* in the command "openssl
s_client -servername test.example.com -connect test.example.com:443
-showcerts" ?

Regards,

Kaushal
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

SSL Root CA and Intermediate CA Certs.

2014-04-23 Thread Kaushal Shriyan 
Hi,

I am new to SSL/TLS Certificates. Please help me understand what is the
difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I
will appreciate if i can refer to some books or tutorials to know about
SSL/TLS technology.

Thanks and Regards,

Kaushal

Verify Two Way SSL Certificates.

2014-04-21 Thread Kaushal Shriyan 
Hi,

Is there a way to test if 2 way ssl certs are installed correctly?

More Info :-
http://stackoverflow.com/questions/10725572/two-way-ssl-clarification

Regards,

Kaushal

Convert .pem to .crt and .key files

2013-12-13 Thread Kaushal Shriyan 
Hi,

I have a .pem file. Is there a way to get it converted into .crt and .key
files using openssl tool.

Please suggest.

Regards,

Kaushal

Re: Verisign Certificate

2007-08-07 Thread Kaushal Shriyan 
Hi Kiran

Now the verisign has given me the certificate as SSL.der format so can you
please provide me the working example using openssl to convert it into
SSL.pem
format taking my file SSL.der in question

Thanks again

Sorry for the trouble

Thanks and Regards

Kaushal





On 8/6/07, C K KIRAN-KNTX36 [EMAIL PROTECTED] wrote:

  Hi,

 You should have received the certificate in PEM or DER format. No need to
 save the file .txt format.

 Do openssl –inform whichever form PEM or DER –in file.(der or pem)
 -noout –text

 This will dump the text form of the certificate.

 Regards,

 Kiran




   --

 *From:* [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] *On Behalf Of *Kaushal Shriyan
 *Sent:* Monday, August 06, 2007 7:23 PM
 *To:* openssl-users@openssl.org
 *Subject:* Verisign Certificate



 Hi,

 I have received certificate from Verisign in the email.

 I have copied it to a notepad and saved it as abc.txt

 I am running the command

 openssl x509 -in abc.txt -out ssl.pem

 is this the right command

 Thanks and Regards

 Kaushal

Verisign Certificate

2007-08-06 Thread Kaushal Shriyan 
Hi,

I have received certificate from Verisign in the email.

I have copied it to a notepad and saved it as abc.txt

I am running the command

openssl x509 -in abc.txt -out ssl.pem

is this the right command

Thanks and Regards

Kaushal

Keystore password

2007-07-11 Thread Kaushal Shriyan 

Hi,

We would like to extract the un-signed SSL certificate used by the
application and its keystore password. Could you please provide us with the
steps do this specially the keystore password?

Thanks and Regards

Kaushal

Re: How to check if the certificate is self signed

2006-10-25 Thread Kaushal Shriyan 

On 10/25/06, Ambarish Mitra [EMAIL PROTECTED] wrote:

If the subject and issuer are the same, then the cert is self-signed.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bhat, Jayalakshmi
Manjunath
Sent: Wednesday, October 25, 2006 12:45 PM
To: openssl-users@openssl.org
Subject: How to check if the certificate is self signed


Hi All,

  How do I check if the given certificate is self-signed?

Thanks and Regards,
Jaya


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Pvt. Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Pvt. Ltd. does not accept any liability for virus infected mails.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Hi Ambarish

Thanks for the reply
How do i check the subject and the issuer of the self signed certificate

Thanks and Regards

Kaushal
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl command

2006-07-28 Thread Kaushal Shriyan 

Hi ALL

I wanted a PDF format of openssl command, Can any one explain me about
openssl command with examples I mean How do i use it

Thanks and Regards

Kaushal
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]