Verify OpenSSL TLS 1.2

In an effort to combat cyber crime, major tech companies are advocating encryption for the entire Internet through the free certificate service called “Let’s Encrypt”; meaning that in the not so distant future the following will block public web pages from running browsers:

    * Web paged running on http port 80
    * Web pages with self-signed certificates
    * Web pages with weak encryption
    * Web pages without TLS 1.2 certified encryption
    * Web pages still encrypting with old SSL3

Below find some examples on how to quickly test if your site complies with OpenSSL TLS 1.2.

TLS is supported on OpenSSL 1.0.1 or above. Verify your version:

~$ openssl version
OpenSSL 1.1.1d  10 Sep 2019

Verify a TLS 1.2 enabled website by querying its certificate and spotting its cipher at the bottom. If it returns error handshake messages and no cipher, then it probably does not support TLS 1.2. It should return something like this:

[Read more…]

Apache SSL TLS Certificate Creation Script

Overview

Brief notes on how to create an Apache OpenSSL certificate using a bash script under Debian 10. A website that is not encrypted can become a threat to visitors, and often many providers block websites that are not SSL/TLS enabled. The audience is experienced Linux administrators.

Definitions

    * Root CA certificate = the main self-signed certificate from the Root certificate authority that signs all other certificates or intermediate certificates.
    * Intermediate CA certificate = a certificate created by an intermediate certificate authority (CA), signed by the Root CA.
    * CA Bundle certificate = the merge of Root CA certificate an the Intermadiate CA certificate, valid as a root certificate.
    * Certificate = the certificate received and signed by the Intermediate CA certificate.
    * Certificate Chain = the end certificate, along with the CA Bundle certificate.
    * The intermediate method has more security, so that intrusion of one intermediate certificate authority does not affect the entire root.

The Script

The OpenSSL script below is simple; the variables need to be modified inside. It creates the following (4) four files:

    * Raw private key.
    * RSA private key.
    * CSR, certificate signing request.
    * Self-signed certificate, for testing.

Creating the private key in at least two formats seems like a good idea. Always keep private keys truly private and secure.

[Read more…]

Tiny Core Linux Customization

Overview

Brief notes for the Tiny Core Linux rescue Kernel; customized and minimized to a 25MB; containing many useful administrative utilities; very useful for rescue, offline cold backups, restores, troubleshooting boot problems, disaster recovery. It can launch from a local Linux boot loader, an external USB hard disk, or a USB stick, or a virtual/physical CDROM ISO. The distro is very well maintained with the latest kernels. The Tiny Core Linux Team did a great job with this mini distro and the Linux community celebrates their work.

Main site: http://tinycorelinux.net/

The utilities that I most used: LVM, mount, sshd, rsync, scp, netcat, netstat, tar, chroot.

Download

http://tinycorelinux … yCorePure64-11.0.iso [28MB]

GRUB2 Boot

Add to an existing GRUB2 system, to enable rescue boot from a regular local hard disk. Copy the Tiny Core kernel and ramdisk:

# mount -o loop TinyCorePure64-11.0.iso /mnt
# mkdir -p /boot/tce/optional
# cp /mnt/boot/vmlinuz64 /boot/tcvmlinuz64
# cp /mnt/boot/corepure64.gz /boot/tccorepure64.gz
# cp -r /mnt/boot/cde/* /boot/tce/
# chmod 0444 /boot/tcvmlinuz64
# chmod 0444 tccorepure64.gz
# chmod 0750 /boot/tce

Add the GRUB2 entry:

# cat /etc/grub.d/40_custom
menuentry "Tiny Core 11.1 Rescue" {
linux /tcvmlinuz64 noswap nozswap nohdcp superuser vga=791 tz=GM-5 host=foo
initrd /tccorepure64.gz
}

Rebuild the GRUB2 configuration, then test it:

# grub2-mkconfig -o /boot/grub2/grub.cfg

# reboot

[Read more…]