Enabling gpg-agent

Luxing Huang — Sun, 21 Feb 2016 05:02:14 +0000

When I was following this tutorial to setup GnuPG for mutt account profiles on my personal laptop, I hit gpg-agent is not available in this session error when I was trying to decrypt my profile. Also, I have to type my password for every time when I try decryption.

This is annoying.

With a little poking around, I found 2 reasons that could affect my setup. First, the gpg-agent.conf under ~/.gnupg. My current setup is:

default-cache-ttl 999999
max-cache-ttl 999999
ignore-cache-for-signing

Obviously I maxed-out the expiration time gpg-agent stores my password in cache (the default-cache-ttl value. It used to be 0).

Secondly, I installed gnupg2 long time ago and I was using gpg-agent for GnuPG 2, the gpg command is actually from GnuPG 1. This confused me a little to figure out. Make sure to use gpg2 command rather than gpg.

If you are encrypting mutt profile too, make sure to use gpg2 everywhere.

Finally, run this at boot time to start an agent daemon.

gpg-agent --daemon --allow-preset-passphrase

SSL Setup

Luxing Huang — Mon, 28 Jul 2014 18:14:19 +0000

This is a personal technical note for SSL certificate setup, ensuring better scores at SSL Labs so that we have a better Internet security for our own.

I use the built-in script provided from RHEL/CentOS to generate a private key. The location is under /etc/ssl/cert, by typing

make site.key

It will generate a private key. Its actual command is:

openssl genrsa -aes128 2048

You can adjust the key size for your own needs, but at least 2048 is needed for a relatively secure certificate.

Then we make its CSR by typing:

make site.csr

The actual command is:

openssl req -new -key site.key -out site.csr -aes256

The name site must be the same as the key name for the script to work. You can now copy and paste the CSR to whoever your trusted SSL Certificate Provider to sign. It doesn’t matter who choose to sign it as long as your user and you trust it, therefore I used CACert.org

Before we do anything else, we need to generate a different DH param. Let’s cd into /etc/nginx/ssl (or whatever you prefer), and do the following command:

openssl dhparam -out dhparams.pem 2048

Now we generate a custom DH param for securer DH. In the configuration next, we will use it.

Next, we need to setup a website that runs on SSL. Choosing the cipher is the most important part that prevents most of the crackers cracking decipher your server’s communication. The httpd side of software I choose is nginx, I like its versatility and efficiency.

Inside the server block, we must have the following lines:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # includeSubdomains only needed for the whole site encryption. You may or may not need it.

# The following settings only works with CA certified certs, not self-signed certs.
ssl_stapling on; 
resolver 8.8.8.8;
ssl_trusted_certificate /etc/nginx/ssl/root.crt; # Your CA Root cert.

The main purpose of Line 1 is to stop accepting requests from insecure protocols such as SSLv2, Line 2 restricts the cipher we will be using, and stop some insecure ciphers such as MD5 and RC4. If we add RC4 back on the list, we eliminate the chance to get BEAST attack, but will suffer RC4 attack. By removing RC4, some of the older browsers will not support visiting the website and possible to suffer BEAST attack. The future trend is, RC4 attack will get more sophisticated, and chance of BEAST attack will get smaller, I’d recommend to remove RC4 from the list.

Line 4 and 5 are for the SSL reuse, this can improve the performance. Line 6, 7, 8 are related to OCSP stapling, it enables the server to check the OCSP status, which can check the revocation of the certificates. The root.crt is the Class 1 PKI key of your CA.

Go to SSLLabs for a test, you might get an A+ if your signing authority is trusted!

Changelog:
2014.08.13 – Added 3DES back to cipher suites for Windows XP compability.
2014.10.17 – SSLv3 support is removed (POODLE). Strict Transport Security is added.
2015.03.03 – RC4 removed and banned.
2015.06.02 – Update DH strength

setup – Luxing Huang

Enabling gpg-agent

SSL Setup