Qualys SSL Labs and weak ciphers with centos 6.5 and apache

lately i tried to improve the SSL score for qualys ssllabs SSL configuration scanner. after a view tries i noticed that changes i made to SSLCipherSuite did not change anything at all – so there has to be a config file that overrides the settings for apache 2.2. qualys error: TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) DH 512 bits (p: 64, g: 1, Ys: 64) FS WEAK TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK Solution: what i learned is if you use an apache 2.2 with vhosts! the apache vhosts config for your site overrides the /etc/httpd/conf.d/ssl.conf settings! this behaviour makes no sense at all to me – nevertheless, here is the solution: settings i used for /etc/httpd/conf.d/ssl.conf

  and for /etc/httpd/conf/sites-available/.vhost  

      thats the trick for an A- Rating. as far as i know A(+) Rating is not possible while running apache 2.2.

Continue reading »

IIS as reverse proxy with SSL offloading

I recently set up a microsoft IIS 7.5 as reverse proxy. The setup is straight forward, but there can be an issue if you want to send all the traffic from the reverseproxy encrypted via SSL to the actual webserver. Especially with self signed certificates on your backend servers it becomes a bit of a hassle. This will be a problem if you use SSL offloading which means that ISS is terminating SSL client request and forwards the HTTP request in a new SSL session protected by the destination servers self signed SSL certificate. Everything you have to know is that the self signed SSL certificate has to be imported to your computer certificate store (not the user store!). Plus the certificate has to be valid: make sure it is not expired. And last but not least: the server has to be resolved with the certificates subject name – it will not work if you enter the IP-Adress of your HTTPs server or your server is called server1.local and your certificate says server1! If that information already solved your problem you do not have to read further, everyone else gets a bit more of a detailed explanation:   Set up IIS as a reverse proxy All you have to do is install the Application Request Routing module to your IIS. The ARR module has to be downloaded from microsoft.com and can not be added as a role service for IIS.   Configure IIS as a reverse proxy Bind SSL to your IIS website First your IIS website has to be bound on port 443 HTTPs. You can use a self signed certificate or buy one from a well known certificate authority. If you use a self signed, please make sure your certificate subject matches with your website URL. This link may be helpful: How to create self signed certificates with alternate host name. To edit the sites binding open IIS manager and click with your right mouse button on the website and go to edit bindings. Then you have to select an IP-Adress and a certificate which your proxy will present when a client requests HTTPs. Your site binding should look like the configuration on the picture: Configure the rewrite rule To configure the rewrite rule to achive the functionality of a reverse proxy, go to your website in the IIS management tool. Then click on the “URL Rewrite” module as shown on the next picture. (on the right side you can see the Browse Website – make sure it is bound to 443)     Choose “reverse Proxy” rule: Now the actual configuration starts. Enter your server name and the port where SSL is bound to. In my case it is 443. Please do not get confused by the SSL offloading explaination. HTTP requests are not necessarily transported over plain HTTP, if you specify the port an SSL tunnel will be established to transport your HTTP pakets encrypted. If you untick SSL offloading the ARR module just forwards your packets to the backend server – then the SSL certificate of your backend server will be presented to client! When you edit the rule later in expert view it should look like on this picture: Import certificates: Unless you have public signed certificates or you already trusted your private certificate authority you have to import the SSL certificates of your backend servers to the local computer store. If you run a lot of backend HTTPs servers I suggest to create a private CA. If you run 2-3 servers you can easily do it manually or in case you set it up for testing purposes, a self signed certificate is perfectly fine. Run certmgr.msc add Snap-in certificates select computer account import the self signed certificate into “trusted root store” Possible error: If the IIS is not able to verify the certificate of the backend HTTPs server it will deliver an error message to the requesting client. The error message contains “HTTP Error 502.3 – Bad Gateway, A security error occurred, Error Code 0x80072f8f”. Remember: The server name you send the request to has to be the same as the subject name of your self signed SSL certificate and the certificate has to be valid – it must not be expired!

Continue reading »

Generate IIS7 SSL certificates for alternate hostname

In some cases it is necessary to have a self signed SSL certificate which does not have the hostname as issuer but the Full Qualified Domain name. In this case the IIS7.0 graphical interface is not sufficient because it only lets you create certificates with the hostname as issuer! Luckily Microsoft released a CLi tool to create certificates: First you need to download the Internet Information Services (IIS) 6.0 Resource Kit Tools from Microsoft.com. Install the toolkit on the Server you want to create the self signed SSL certificates for and just select “SelfSSL Tool” during the wizard.  change Directory to:

Parameters Explained: /s: SiteId /N:CN: Canonical FQDN (yoursite.com or xyz.yoursite.com) /V: Validy in days (365 equals 1 year; Value can be self defined!) To determ the Site ID for IIS5 and IIS6 check out this link: How to find the SiteID in IIS5 and IIS6    

Continue reading »

Windows Server 2012: Ethernet Drivers for Gigabyte GA-Z87-D3HP

Unfortunately Intel does not support Microsoft Windows Server 2012 for its Gigabit LAN i217-v series. But i figured out how to use the Windows 8 drivers instead which seem to be fully compatible. This should also work with Windows Server 2012 R2 – I ll update this post as soon as i tested it.   Mainboard: Gigabyte GA-Z87-D3HP Rev. 1.0 Onboard Gbit Ethernet: intel i217v Operating System: Microsoft Windows Server 2008 x64 Standard Edition Download the intel driver package from gigabayte. (Choose the Package for Windows8) Extract the driver package and navigate to folder PRO1000\Winx64\NDIS63 Open file e1d63x64.inf in a text editor Delete or comment out the lines between [ControlFlags] and [Intel] Copy the lines starting with %E153BNC from section [Intel.NTamd64.6.2.1] to section [Intel.NTamd64.6.2]. 6.2.1 equals Windows8 and 6.2 equals Server 2012!

Reboot your System and Press F8 while it is booting and select “disable driver signature enforcement”. Open the Windows Device Manager and search for the Driver on your Harddisk. Here a screenshot of how the edited file should look like:

Continue reading »

Resize logical volumes within a Linux Volumegroup

If you want to extend your volume group by resizing your virtual hard drive or adding a new hard drive to your VG, the following comands may help you. I use this method to resize virtual hard drives on ESX servers. It should work the exact same way with other virtualization solutions like VMWare Workstation, Player and VmWare Server. System specification:  OS: Centos 6.3 x64 minimal  Hardware: VmWare  SCSI-Controller: Paravirtual  Vmware Host Version 8 Backup (i know, backup is for babies) Shutdown the Server Use vSphere Client/VMWare Console to add/resize disk boot 😉 run command cfdisk to see if HDD(resize) is recognized cfdisk /dev/sdb to access 2nd drive Create a new Primary Partition with cfdisk with the free disk space Change [ Type ] with cfdisk to 8e (Linux LVM) Accept Changes with write Use following commands to do the actual resize:

     

Continue reading »