ssl – Luxing Huang

Check Out your IP address (And User-Agent)

Luxing Huang — Mon, 11 May 2015 12:16:44 +0000

I know there are many tell-your-IP-address services available, some even have the whois lookup functionality. I found it was unhelpful when it comes to scripting. I made a website, it has more features which curlmyip.com doesn’t have. It could report your IP address for a script-friendly way (direct response). It supports ipv4, ipv6 and SSL access.

IP:
http://ipv4.luxing.im
http://ipv6.luxing.im
http://ip.luxing.im
https://get.luxing.im/ip

User-Agent:
http://ua.luxing.im
https://ua.luxing.im
http://get.luxing.im/ua

When you are using the ua.luxing.im method in cURL, you need to add -L option to follow the link.

If you are using cURL with SSL, you may need to take a look at this article.

cURL support for CloudFlare-enabled websites

Luxing Huang — Mon, 06 Apr 2015 12:05:22 +0000

CloudFlare provides a nice protection from DDoS and other hacking activities, last year they even added a free UniverSSL package to all users. The problem began with the cURL ciphers on cloudflare-enabled websites. cURL does not successfully handshake with cloudflare servers with its default encryption algorithms.

Update: Recent update on cURL and nss libs have enabled curl to operate on CloudFlare-enabled web pages without doing anything. Git also works now.

I test my website out using openssl s_client.

openssl s_client -connect luxing.im:443

We could see the following output:
... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 ...

OK so it is using ECDHE-RSA-AES128-GCM-SHA256 cipher to connect to my website.

Well, let’s try this:

curl https://luxing.im --cipher ecdhe_rsa_aes_128_gcm_sha_256

curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Huh. Strange isn’t it? With a LOT of searching, finally I got an answer from here, I added the suggested line to .curlrc in my home directory:

 ciphers="rsa_aes_256_sha,rsa_aes_128_sha,dhe_rsa_aes_256_cbc_sha,dhe_rsa_aes_128_cbc_sha,rsa_aes_256_cbc_sha_256,rsa_aes_128_cbc_sha_256,dhe_rsa_aes_256_cbc_sha_256,dhe_rsa_aes_128_cbc_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_gcm_sha_256"

Then try:

curl -v https://luxing.im

Yes, now my curl is working. Let’s see the output:
... * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ...

OK. It is actually using the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm, so forcing the cipher to use ecdhe_ecdsa_aes_128_gcm_sha_256 works.

My curl is:
curl -V curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.4 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
And I am on Fedora 20+.

Note:
1. Debian/RHEL/CentOS series does not support this algorithm. You’ll have to create a ticket to CloudFlare support to discuss it with them.
2. According to this, git uses cURL to access https repositories but this workaround won’t help. Too bad.

SSL Setup

Luxing Huang — Mon, 28 Jul 2014 18:14:19 +0000

This is a personal technical note for SSL certificate setup, ensuring better scores at SSL Labs so that we have a better Internet security for our own.

I use the built-in script provided from RHEL/CentOS to generate a private key. The location is under /etc/ssl/cert, by typing

make site.key

It will generate a private key. Its actual command is:

openssl genrsa -aes128 2048

You can adjust the key size for your own needs, but at least 2048 is needed for a relatively secure certificate.

Then we make its CSR by typing:

make site.csr

The actual command is:

openssl req -new -key site.key -out site.csr -aes256

The name site must be the same as the key name for the script to work. You can now copy and paste the CSR to whoever your trusted SSL Certificate Provider to sign. It doesn’t matter who choose to sign it as long as your user and you trust it, therefore I used CACert.org

Before we do anything else, we need to generate a different DH param. Let’s cd into /etc/nginx/ssl (or whatever you prefer), and do the following command:

openssl dhparam -out dhparams.pem 2048

Now we generate a custom DH param for securer DH. In the configuration next, we will use it.

Next, we need to setup a website that runs on SSL. Choosing the cipher is the most important part that prevents most of the crackers cracking decipher your server’s communication. The httpd side of software I choose is nginx, I like its versatility and efficiency.

Inside the server block, we must have the following lines:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # includeSubdomains only needed for the whole site encryption. You may or may not need it.

# The following settings only works with CA certified certs, not self-signed certs.
ssl_stapling on; 
resolver 8.8.8.8;
ssl_trusted_certificate /etc/nginx/ssl/root.crt; # Your CA Root cert.

The main purpose of Line 1 is to stop accepting requests from insecure protocols such as SSLv2, Line 2 restricts the cipher we will be using, and stop some insecure ciphers such as MD5 and RC4. If we add RC4 back on the list, we eliminate the chance to get BEAST attack, but will suffer RC4 attack. By removing RC4, some of the older browsers will not support visiting the website and possible to suffer BEAST attack. The future trend is, RC4 attack will get more sophisticated, and chance of BEAST attack will get smaller, I’d recommend to remove RC4 from the list.

Line 4 and 5 are for the SSL reuse, this can improve the performance. Line 6, 7, 8 are related to OCSP stapling, it enables the server to check the OCSP status, which can check the revocation of the certificates. The root.crt is the Class 1 PKI key of your CA.

Go to SSLLabs for a test, you might get an A+ if your signing authority is trusted!

Changelog:
2014.08.13 – Added 3DES back to cipher suites for Windows XP compability.
2014.10.17 – SSLv3 support is removed (POODLE). Strict Transport Security is added.
2015.03.03 – RC4 removed and banned.
2015.06.02 – Update DH strength