A self-sighed certificate with SANs and SHA256 by OpenSSL.

Update information      Edit(Oct.28)

   When I tested my SSL server by “Qualys SSL Labs – Projects / SSL Server Test” for this dust, the test gave me following Reds and Oranges (^_^;).
 
||Reds||

  1. Trusted : No NOT TRUSTED <<---- Because I use a self-sighed certificate that the Labs doesn't know. So I ignore the message with confidence ha-ha.
  2. IE 6 / XP No FS 1 No SNI 2 : Protocol or cipher suite mismatch : Fail3 <<---- My SSL server user is only me, and I don't use IE 6 / XP. So I ignore the message.
  3. Fail3 They say “Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.” My SSL server doesn’t accept lower protocols, but it’s no problem for me.
  4.    As above I have nothing to be done about Reds.

||Oranges||

  1. Prefix handling : Not valid for “www.o6asan.com” :CONFUSING
  2. Signature algorithm : SHA1withRSA : WEAK
  3. Chain issues : Contains anchor <<---- Ivan Ristić replied about “Chain issues Contains anchor”. So I ignore the message.
  4. Not in trust store <<---- Because I use a self-sighed certificate. So I ignore the message.
  5. Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported
  6. Forward Secrecy : With some browsers

   As above I have something to be done about 1, 2, 5 and 6. First I handle 5 and 6 because I need to re-create a new certificate for 1 and 2.

  1. I update Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) to October 20 version. Because it was built with openssl-1.0.1j which supported TLS_FALLBACK_SCSV.
  2. I uncommented SSLHonorCipherOrder on and changed SSLCipherSuite Directive value in the httpd-ssl.conf.
    HIGH:MEDIUM:!aNULL:!MD5

    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
    EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
    !PSK !SRP !DSS

       Ref : Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
    ↓ I changed on Dec. 23 because of RC4.
    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH
    EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

       Ref : RC4 in TLS is Broken: Now What?

    IF your server should support some mobile OS/browser or legacy ones, you need more additional configuration. But the above is enough to my server.
  3. After them the test gives me “Downgrade attack prevention : Yes, TLS_FALLBACK_SCSV supported” and “Forward Secrecy : Yes (with most browsers) ROBUST”.

   Second I handle 1 and 2.
   The 1 is caused by my self-sighed certificate only has o6asan.com as its Common Name. So I have to create a new certificate supporting both o6asan.com and www.o6asan.com. But there is a problem that I want to use only one IP address for my SSL server. Nowadays we have the solution for this issue that is called SNI(Server Name Indication) though all OS/browser haven’t supported it yet. I can use a wildcard certificate or SAN for SNI. I use SANs because I don’t want to allow my SSL server to accept all sub domains though I can restrict them by Apache configuration.
   The 2 is caused by my creation of the certificate by OpenSSL default, which is set to use SHA1. So I’ll use default_md = sha256 for the new certificate.
 On 28th, I re-read Server Name Indication. Is SNI a different story from wildcard certificate / SAN? I don’t understand them still now. Difficult.

   I copy the file openssl.cnf(← this is the default name) from Apche24\conf folder to c:\openssl-1.0.1x-winxx\ssl(← this is the default location) and customize like the followings.

    Change values and uncomment a line.

  1. dir = ./demoCA —->> dir = X:/demoCA <<----Need an exact path
  2. default_crl_days = 30 —->> default_crl_days = 365
  3. default_md = default —->> default_md = sha256
  4. default_bits = 1024 —->> default_bits = 2048
  5. # req_extensions = v3_req —->> req_extensions = v3_req
    Adding lines.

  1. subjectAltName = @alt_names to [ v3_req ] area.
  2. [ alt_names ]
    DNS.1 = example.com
    DNS.2 = www.example.com
    to just before [ v3_ca ] area.
     
    You can add your domains, like DNS.1, DNS.2, DNS.3, ….
  3. If you make a client certificate, add the followings to the end of the openssl.cnf.
    [ ssl_client ]
    basicConstraints = CA:FALSE
    nsCertType = client
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    nsComment = "OpenSSL Certificate for SSL Client"

   Now I’ll create new certificate. (Ref : WordPress: Administration Over SSL #1)

    ||Create myCA||

  1. Make myCA folder at X:/
  2. Make two folders and a file named private, newcerts and index.txt in the myCA.
  3. Run cmd.exe as Administrator
    pushd X:\myCA
    echo 01 > serial
    openssl req -new -keyout private\cakey.pem -out careq.pem
    openssl ca -selfsign -in careq.pem -extensions v3_ca -out cacert.pem
    copy cacert.pem (Drive_SV):\Apache24\conf\ssl.crt
    copy cacert.pem my_ca.crt

      Note) (Drive_SV) is a partition for server components on my home server PC.
    ||Create Server Cert||

  1. pushd X:\myCA
    openssl genrsa -out server.key 2048
    openssl req -new -out server.csr -key server.key
  2. Check multiple SANs in the CSR (Can you see ‘Subject Alternative Name’ area in it?)
    openssl req -text -noout -in server.csr
  3. openssl ca -in server.csr -out server.crt -extensions v3_req
    copy server.key cp_server.key
    openssl rsa <cp_server.key> server.key
    copy server.key (Drive_SV):\Apache24\conf
    copy server.crt (Drive_SV):\Apache24\conf
    ||Create Client Cert||

  1. pushd X:\myCA
    openssl req -new -keyout client.key -out client.csr
    openssl ca -policy policy_anything -extensions ssl_client -in client.csr -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12

References about SANs : FAQ/subjectAltName (SAN), Multiple Names on One Certificate.

   I have a self-sighed certificate with SANs and SHA256 now. Mission complete!!

Does cURL have POODLE?

Update information      Edit(Oct.26)

   I wrote about “POODLE” issue on the last post. After that, I suddenly got worried about cURL on WordPress because I read SSLv3 fallback attack POODLE.

   Though I found a following option at curl_setopt,
curl_setopt( $handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
I couldn’t get where I should add it among WordPress Core Scripts. So, I made a topic on WordPress Forums…I’m waiting answers.

Edit(Oct.26):
   I just made the topic [resolved]. Because I got the result that my cURL exactly uses TLSv1.2 by %{SSL_PROTOCOL} on the Apache log. I don’t need CURL_SSLVERSION_TLSv1 on the file class-http.php. If the SSL sever has appropriate configurations, clients can access it safely if their software components have the abilities required.

   Clap clap, (*´▽`*).

Memorandum #7.

Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
 PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
 phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.

Hey Vongfong! Won’t you pass us over soon?

Update information      Edit

Typhoon Vongfong from Oct.12@9:00 ~ Oct.13@8:30
Typhoon Vongfong
from Oct.12@9:00 ~ Oct.13@8:30
   I got it from TV flash that Vongfong moved onshore near Makurazaki around 8:30JST.

   I’ve put up shutters since last night and been stuck in the house. We have Storm warning, Heavy rain Advisory, Flood Advisory and Thunderstorm Advisory in my town and others. Though I heard the wind roar at midnight, now very calm and almost no rain. Is it the calm before the storm?

   As the path of the typhoon moved just to the south compared with its anticipated course, my town will be less affected. But its speed is getting a little faster (around 30 km/h).

   Hey Vongfong! Won’t you pass us over soon?

Edit:
   I’ve opened the shutters just now (Just after 14:00JST). I usually open them except when typhoons coming.

   “Parturiunt montes, nascitur ridiculus mus.” This is one of those things this year. But no disasters are grateful for us.   “A natural disaster strikes when people lose their memory of the previous one.” So, do not neglect our duty!

   And, Vongfong still has power. Keep to prepare for it, guys!

Moon and Uranus.

   FHさん gave me the images of the total lunar eclipse on October 8 because I wrote on his BBS that I envied the image he uploaded on his site (^_^;).

   I show you five images by him. I found out Uranus on his images. This time it is Uranus absolutely, I bet.

   You can see Uranus clearly on the three of them. At the night Uranus apparent magnitude was around 5.7. But the moon is darker and darker, we can see Uranus easier and easier on the images. Interesting!

@18:25JST
@18:25JST
@18:32JST
@18:32JST
@18:58JST
@18:58JST
@19:08JST
@19:08JST
@19:37JST
@19:37JST
photographer: FHさん
Shooting location: Kyōto
Typhoon Vongfong from Oct.11@9:00 ~ Oct.12@8:30
Typhoon Vongfong
from Oct.11@9:00 ~ Oct.12@8:30

   By the way, a typhoon is approaching, again. My town has no disaster by typhoons this year until now. We have to prepare for it. “Well Prepared Means No Worries.” I really hope it will end in no worries.

   Anyway, it has a lot of rain clouds.

Puppy Linux (Precise-571JP)

Update information      Edit(Oct.10)

Lunar Eclipse
Lunar Eclipse
@21:01JST
   Did you see the total lunar eclipse last night? I almost missed and only took a picture when it looked like a last quarter moon. I can see a star on the image. Is it Uranus? I’ve checked it up but haven’t found out about the solid evidence. Someone, please tell me it’s so or not.
 
   Now, I’ll write the story about the title.
 
   I tried a Puppy Linux (Precise-571JP) to use as a SHOUTcast server on a LOOX T93B. To talk about conclusions, I gave it up. I installed a Puppy Linux after a long interval. The last time I used a puppy whose version was 5.01 and English. At this time, I was very glad Precise-571JP is very easy to use. I think Puppy is one of good linux distributions. It is very light and doesn’t require high specs, nonetheless, the LOOX has too low specs.
 
   Actually, though I could run a Shoutcast server and broadcast streams, I could never fix jumpiness even after stopping several services of Puppy’s default.
 
   If you want to use Precise-571 as a mobile OS in a USB flash drive, I think it is very good.
By StellaNavigator 10
By StellaNavigator 10

Edit(Oct.10):
   Ooops! I understood that the star above was not Uranus. I checked it up by StellaNavigator 10. It’s an amazing software though I used a trial version.

A batch file of jpegtran for overwriting on Windows.

Update information      Edit(2016.Oct.29)

   When I use jpegtran on Windows, it’s very inconvenient. So I made a batch file for myself, which overwrites the original jpeg file with the new optimize jpeg file.
@echo off
setlocal enabledelayedexpansion
pushd %~dp0
for %%a in (%*) do (
set OutFile=%%~na%%~xa
jpegtran -copy none -optimize -outfile !OutFile! %%a
for %%b in (!OutFile!) do set fileSize=%%~zb
if !fileSize! LSS %%~za (copy !OutFile! %%a>nul)
del !OutFile!
)
popd
exit
   Bacicaly, the batch file replaces original jpeg files with new ones, but it leaves original files instead new ones when the new file is bigger than the original. This sometimes occurs if the original was created by some graphics editors. Around 100 files possible at one time. This maybe depends on cmd.exe ability itself, I think.

   How to use the batch file:

  1. Copy & paste the above codes to a text editor, and save it as a batch file named ‘jpegtran.bat’ or something. You can have ‘jpegtran.txt’ from here. Change its extension from txt to bat.
  2. Copy the batch file and jpegtran.exe to the same folder.
  3. Drag & Drop the jpeg files you want to optimize onto the batch icon.
  4. That’s it.

   If you use the batch file, please remember the followings. This batch file makes overwriting, so it leaves no original files.

   I optimized all jpeg files in my sites. Now, I have no suggestion about jpeg files from PageSpeed Insights. Clap, clap.

References:
   1. List of DOS commands (Japanese)
   2. Jpegtran’s help

Edit(2016.Oct.29):
   This post has a few visitors. So, I added some though I wrote this long before 😋.

   You can place the folder (in which, jpegtran.exe and jpegtran.bat) anywhere in your PC. For your convenience, you should create a shortcut of jpegtran.bat on your Desktop. The shortcut ability equals jpegtran.bat itself.
   You can do bulk actions for jpeg files are in some ranges by the batch file. Search jpeg files for the ranges and “Select All” then Drag&Drop.

Some of the php.net machines have been compromised, really??

Update information      Edit    Edit(Oct.2)

   Just before noon, I noticed I could not reach qa.php.net and the PHP 5.6.1 Zip was withdrawn from the site.

   What happened to the PHP official? After googling in the Internet, I found out the followings.

   Is this ShellShock’s side effect? Of course, it’s just my joking. But, what happened really? They withdrew the PHP 5.6.1 Zip, which means the file was affected by something malicious?

   When I install new files, I always check them up carefully. About the PHP 5.6.1 Zip, I did ordinary steps. However, I do check it up again. In my case, I think that is no problem but who can say it is 100% safe?

   They say nothing until now. When do they make the official announcement about it?

Edit(Oct.2):
   Now 2:05pm JST, I found the PHP 5.6.1 Zip had come back. I don’t check the difference between the old and new Zip files. I have to get going, so I’ll check them up later. The official still makes no announcement.