37°F

Aaron Parecki

  • Articles
  • Notes
  • Projects

#ssl

  • Create a Subject Alternative Name (SAN) CSR with OpenSSL (www.lisenet.com)
    Portland, Oregon
    #openssl #ssl #https
    Tue, Jun 27, 2017 6:02pm -07:00
  • How to setup your own CA with OpenSSL (gist.github.com)
    Portland, Oregon
    #openssl #ssl #https
    Tue, Jun 27, 2017 6:02pm -07:00
  • City of Portland https://twitter.com/cityofportland
    To whomever tagged this on the Esplanade. This is irresponsible and unsafe advice! One should only use SFTP when transferring files. #ssl
    Portland, Oregon
    #ssl
    Mon, Jun 26, 2017 7:51pm +00:00 (liked on Mon, Jun 26, 2017 9:14pm -07:00)
  • Chrome 57 dropped the StartCom root so all my wildcard certs stopped working. Guess today is gonna be moving a bunch to @letsencrypt
    Portland, Oregon, USA
    7 likes
    #chrome #ssl #letsencrypt #startcom
    Fri, Mar 10, 2017 8:42am -08:00
  • Nice follow-up to @CloudFlare's disaster bug by @1Password ♥️🔐 https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/ Keep being awesome, 1Password!
    Portland, Oregon, USA
    2 likes 4 reposts 1 reply
    #1password #security #cloudflare #ssl #https
    Thu, Feb 23, 2017 7:03pm -08:00
  • StartEncrypt considered harmful today - Computest (www.computest.nl)
    Portland, Oregon
    #ssl #https #startssl
    Thu, Jun 30, 2016 8:39am -07:00
  • This is perhaps the first step in the fall of certificate authorities in favor of p2p root CA trust sharing. https://twitter.com/FiloSottile/status/735940720931012608
    Portland, Oregon, USA
    1 like 1 repost 2 mentions
    #security #ssl #https #bluecoat
    Thu, May 26, 2016 3:19pm -07:00
  • Untrusting an intermediate CA on OS X (blog.filippo.io)
    Portland, Oregon
    #security #bluecoat #osx #ssl
    Thu, May 26, 2016 3:18pm -07:00
  • Setting up HTTPS with Letsencrypt.org

    Mon, Dec 7, 2015 9:59am -08:00

    I use nginx to serve my HTTPS domains, and Letsencrypt support for nginx is still in beta. I also have a relatively specialized nginx config setup so I don't want any automated script messing with those files. Below are the steps I took to use the letsencrypt tool to generate and automatically renew a certificate for a domain.

    Photo by Jānis Puriņš
    $ git clone https://github.com/letsencrypt/letsencrypt
    $ cd letsencrypt
    $ ./letsencrypt-auto --help

    This installs the tool as well as a number of dependencies. After it's done, the letsencrypt-auto command is available. I installed this in my home folder.

    The tool expects to be able to write the challenge file to disk and that it will be accessible at example.com/.well-known/acme-challenge/*. The first step to getting the process working was setting up an nginx server block for each http domain.

    server {
      listen *:80;
      server_name aaronpk.com example.com;
    
      location /.well-known/acme-challenge {
        default_type "text/plain";
        root /tmp/letsencrypt;
      }
    
      location / {
        return 301 https://$http_host$request_uri;
      }
    }

    This configures nginx to serve the /.well-known/acme-challenge/ path from a folder on disk, and will redirect any other requests to the https version of the domain.

    Now we can run the script that will request the cert and respond to the challenge.

    ~/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/tmp/letsencrypt -d aaronpk.com

    If you want to generate a certificate that contains multiple domains, you can add more -d example.com parameters to the command. Alternately, you can run the command for each domain separately to generate separate certificates.

    This tells the script to request the cert and write the challenge to disk, and prefills the domain name it's requesting. If everything goes well, you should see:

     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/aaronpk.com/fullchain.pem. Your cert will
       expire on 2016-03-06. To obtain a new version of the certificate in
       the future, simply run Let's Encrypt again.

    Now we can set up the virtual host block which serves the certificate!

    server {
      listen *:443 ssl;
      server_name aaronpk.com;
    
      ssl                   on;
      ssl_certificate       /etc/letsencrypt/live/aaronpk.com/fullchain.pem;
      ssl_certificate_key   /etc/letsencrypt/live/aaronpk.com/privkey.pem;
    
      # your normal config stuff goes here
    }

    (Note that I deliberately left out the other ssl config options from this example, since it's possible to configure them at the top-level nginx config. See indiewebcamp.com/nginx for more details on configuring nginx with https.)

    Now that the two configuration blocks are in place, renewal of the certificate can be automated by running the same command with --renew.

    ~/letsencrypt/letsencrypt-auto --renew certonly -a webroot --webroot-path=/web/sites/aaronpk.com/letsencrypt -d aaronpk.com
    sudo /opt/nginx/sbin/nginx -s reload
    10 likes 5 reposts 2 replies 3 mentions
    #https #ssl #letsencrypt #indieweb
    Mon, Dec 7, 2015 9:59am -08:00
  • nginx SSL configuration options for konklone.com (gist.github.com)
    #nginx #ssl #tutorial #resources
    Sun, May 17, 2015 7:58pm -07:00
  • Hardening HTTPS with nginx « Jonny Barnes (jonnybarnes.uk)
    #nginx #ssl #linux
    Tue, Apr 14, 2015 9:38am -07:00
  • How to set up stress-free SSL on an OS X development machine (gist.github.com)
    #ssl #osx #resources
    Tue, Dec 23, 2014 3:14pm -08:00
  • Akamai Heartbleed Response (blogs.akamai.com)
    #heartbleed #ops #ssl
    Sat, Apr 12, 2014 2:29am -07:00
  • SwiftOnSecurity (twitter.com)
    I patched OpenSSL and due to the nature of the bug had to tell my old SSL cert that we are never, ever, ever getting back together.
    #heartbleed #ssl
    Thu, Apr 10, 2014 3:08pm -07:00
  • Reverse Heartbleed Tester (reverseheartbleed.com)
    #heartbleed #ops #security #ssl
    Thu, Apr 10, 2014 2:01pm -07:00
  • How to explain Heartbleed without technical terms? (security.stackexchange.com)
    #heartbleed #ops #security #ssl
    Thu, Apr 10, 2014 1:22pm -07:00
  • How to test and confirm OpenSSL is updated for Nginx and Ruby on Ubuntu 12.04

    Tue, Apr 8, 2014 3:16pm -07:00

    First, a few tools for testing your servers:

    • titanous/heartbleeder (written in Go)
    • FiloSottile/Heartbleed (written in Go)
    • emboss/heartbeat (written in Ruby)

    Nginx

    Run one of these against your HTTPS server:

    ./heartbleeder example.com
    

    Turns out in Ubuntu 12.04, running openssl version will always report "OpenSSL 1.0.1 14 Mar 2012" for all versions of 1.0.1. This makes it more difficult to tell if you've successfully updated.

    Update the system openssl libraries:

    sudo apt-get update
    sudo apt-get upgrade

    Now, you won't be able to check the version number, but you can check the date that openssl was built:

    $ openssl version -a
    OpenSSL 1.0.1 14 Mar 2012
    built on: Mon Apr  7 20:33:29 UTC 2014

    Note that unless it has a "built on" date after Apr 7, you've still got a problem.

    Now just restart nginx and run the heartbleed test again and you should be fine.

    Ruby

    Even if you compile Ruby from source, it should be dynamically linked to the system OpenSSL library, so you should be good to go now! However, I would be more confident if I could confirm that Ruby was in fact using the updated library.

    Due to the way Ubuntu OpenSSL works, asking Ruby what OpenSSL version it's using doesn't give us any more helpful information:

    $ ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'
    OpenSSL 1.0.1 14 Mar 2012

    (from @sferik)

    So let's do a little digging:

    • Load up irb
      $ irb
    • Find the full path of openssl.so
      irb(main):001:0> $:.map{|d| Dir[File.join d, "openssl.so"]}.flatten.compact.first
      /usr/local/lib/ruby/2.0.0/x86_64-linux/openssl.so
    • Quit irb
      irb(main):002:0> quit
    • Find the dependencies of Ruby's openssl.so
      $ ldd /usr/local/lib/ruby/2.0.0/x86_64-linux/openssl.so | grep crypto
      libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f3331750000)
      
    • Check the date that libcrypto was built:
      ls -l /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
      -rw-r--r-- 1 root root 1930616 Apr  7 20:37 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0

    You should see that libcrypto.so was built on Apr 7. At this point I can be reasonably sure that Ruby is using the updated OpenSSL library. I would feel much more comfortable if I had a malicious server I could test against. Below are the issues on the three repos above about writing a client-testing tool.

    • github.com/emboss/heartbeat/issues/1
    • github.com/FiloSottile/Heartbleed/issues/35
    • github.com/titanous/heartbleeder/issues/14
    7 likes 6 reposts 11 replies 2 mentions
    #heartbleed #ops #ubuntu #linux #openssl #ssl
    Tue, Apr 8, 2014 3:16pm -07:00
  • ImperialViolet - Overclocking SSL (www.imperialviolet.org)
    #crypto #cryptography #google #scalability #ssl
    Tue, Aug 3, 2010 10:37am -07:00
next

Hi, I'm Aaron Parecki, co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and am the editor of several W3C specfications. I record videos for local conferences and help run a podcast studio in Portland.

I wrote 100 songs in 100 days! I've been tracking my location since 2008, and write down everything I eat and drink. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

Follow
  • Okta Developer Advocate
  • IndieWebCamp Founder
  • W3C Editor
  • Stream PDX Co-Founder
  • backpedal.tv

  • W7APK
  • ⭐️ Life Stack
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Sleep
  • Travel
  • Contact
© 1999-2019 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons