Categories
Windows

Moving my WordPress to HTTPS for supporting HTTP/2-#1.

同一記事の日本語版
Update information      Edit(Nov.2)  Edit2(Nov.6)  Edit3(2017.Jun.206)

   They released Apache 2.4.17 on Oct 13 and Steffen released the same version at ApacheLounge on Oct 12. The version has mod_http2 for its core module and Steffen’s version was built with nghttp2 v1.3.4. See ChangeLog. So, I can test HTTP/2 on my server now. Yes! Just test. Because they say “This module is experimental.

Categories
Windows

Some customization about Windows10.

同一記事の日本語版
Update information      Edit(Nov.27)  Edit2(2016.Aug.10)  Edit3(2017.Jun.13)

   After installing Windows10, SearchUI.exe accesses the Internet frequently. I find it annoying and don’t need it. I found SearchUI.exe in the folder %windir%SystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewy. For killing SearchUI.exe, I wanted to change the folder name. So I did the following steps.

Categories
Windows

Memorandum #12.

同一記事の日本語版

   Being too busy with doing Windows10, I forgot to write about it, which is I updated to Apache 2.4.16 on Aug 5. Besides, くりくりさん told me PHP5.6.12 and MariaDB10.0.21, and I found phpMyAdmin4.4.13.1 yesterday, so I updated them all. Now I’ll write about them.

Categories
Windows

Upgrading from Win8.1 Pro to Win10 Pro.

同一記事の日本語版
Update information      Edit(Aug.6)

   Today, I upgraded my NJ2100 OS from Windows8.1 Pro(x86) to Windows10 Pro(x86).

   I used the media creation tool. This time, I selected the option ‘Upgrade this PC now’ and ‘Keep Windows settings, personal files, and apps’. The PC had just 13.2 GB as free spaces on its C drive. But it brought no problems at the upgrade.

Categories
Windows

Have GWX showed up on your PCs yet?

同一記事の日本語版
Update information      Edit(Jun.11)

   Hey guys! Have GWX (Get Windows 10) showed up on your PCs yet? I have a Windows 8.1 Pro PC and two Windows 7 HP PCs. On Win8 I already had GWX. But I have nothing on Win7 PCs.

   Anyway, all I need is to wait July 29. And of course, “To upgrade or not to upgrade, that is the question.” (^_^;)

Edit(Jun.11):
   Yesterday, GWX showed up one of the Win7 PCs after Windows Update, that is a Let’snote ― a Panasonic product and a kind of Toughbook ― as my mobile PC. CF-J10TYAHR.

Categories
Windows

Updating to PHP5.6.7.

同一記事の日本語版
Update information      Edit(Apr.14)

   They released PHP5.6.7 Windows version on Mar-19 23:50:34UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68976), CVE-2015-2305 (bug #69248) and CVE-2015-2331 (bug #69253). The previous version (PHP5.6.5) has a bug fix for CVE-2015-0231, so this bug fix is second time. I wonder if some unfixed issues still remain for this vulnerability. Anyway I updated my PHP from 5.6.6 to 5.6.7 on my Web server (Windows7HP+SP1(x86)).

   By the way, the new version includes some fixes for OPcache. But I have no new report on the page Bug #67937. So, nothing might change about it, but I enabled OPcache on my server again (Mar-29@6:55JST). What results will I have? I feel nervous about it.

   If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.

Edit(Apr.14):
   The OPcache on my Windows server has worked well for more than two weeks. I don’t know why. But I am happy!!

Categories
Windows

Updating to PHP5.6.5.

同一記事の日本語版

   They released PHP5.6.5 Windows version on Jan-22 03:24:41UTC. It fixes several bugs as well as CVE-2015-0231 (bug #68710), CVE-2014-9427 (bug #68618) and CVE-2015-0232 (bug #68799).
   I couldn’t find “Fixed bug #68799” on the PHP5.6.5 ChangeLog though it’s on 5.5.21’s. Did they forget to write it? Anyway, I updated my PHP from 5.6.4 to 5.6.5 on my Web server (Windows7HP+SP1(x86)).

   If you need more information for the configuration, see the post “Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows”.

Categories
Windows

A self-sighed certificate with SANs and SHA256 by OpenSSL.

同一記事の日本語版
Update information      Edit(Oct.28)

   When I tested my SSL server by “Qualys SSL Labs – Projects / SSL Server Test” for this dust, the test gave me following Reds and Oranges (^_^;).
 
||Reds||

  1. Trusted : No NOT TRUSTED <<---- Because I use a self-sighed certificate that the Labs doesn't know. So I ignore the message with confidence ha-ha.
  2. IE 6 / XP No FS 1 No SNI 2 : Protocol or cipher suite mismatch : Fail3 <<---- My SSL server user is only me, and I don't use IE 6 / XP. So I ignore the message.
  3. Fail3 They say “Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.” My SSL server doesn’t accept lower protocols, but it’s no problem for me.
  4.    As above I have nothing to be done about Reds.

||Oranges||

  1. Prefix handling : Not valid for “www.o6asan.com” :CONFUSING
  2. Signature algorithm : SHA1withRSA : WEAK
  3. Chain issues : Contains anchor <<---- Ivan Ristić replied about “Chain issues Contains anchor”. So I ignore the message.
  4. Not in trust store <<---- Because I use a self-sighed certificate. So I ignore the message.
  5. Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported
  6. Forward Secrecy : With some browsers

   As above I have something to be done about 1, 2, 5 and 6. First I handle 5 and 6 because I need to re-create a new certificate for 1 and 2.

  1. I update Apache 2.4.10 (httpd-2.4.10-win32-VC11.zip) to October 20 version. Because it was built with openssl-1.0.1j which supported TLS_FALLBACK_SCSV.
  2. I uncommented SSLHonorCipherOrder on and changed SSLCipherSuite Directive value in the httpd-ssl.conf.
    HIGH:MEDIUM:!aNULL:!MD5

    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
    EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
    !PSK !SRP !DSS

       Ref : Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
    ↓ I changed on Dec. 23 because of RC4.
    EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH
    EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

       Ref : RC4 in TLS is Broken: Now What?

    IF your server should support some mobile OS/browser or legacy ones, you need more additional configuration. But the above is enough to my server.
  3. After them the test gives me “Downgrade attack prevention : Yes, TLS_FALLBACK_SCSV supported” and “Forward Secrecy : Yes (with most browsers) ROBUST”.

   Second I handle 1 and 2.
   The 1 is caused by my self-sighed certificate only has o6asan.com as its Common Name. So I have to create a new certificate supporting both o6asan.com and www.o6asan.com. But there is a problem that I want to use only one IP address for my SSL server. Nowadays we have the solution for this issue that is called SNI(Server Name Indication) though all OS/browser haven’t supported it yet. I can use a wildcard certificate or SAN for SNI. I use SANs because I don’t want to allow my SSL server to accept all sub domains though I can restrict them by Apache configuration.
   The 2 is caused by my creation of the certificate by OpenSSL default, which is set to use SHA1. So I’ll use default_md = sha256 for the new certificate.
 On 28th, I re-read Server Name Indication. Is SNI a different story from wildcard certificate / SAN? I don’t understand them still now. Difficult.

   I copy the file openssl.cnf(← this is the default name) from Apche24conf folder to c:openssl-1.0.1x-winxxssl(← this is the default location) and customize like the followings.

    Change values and uncomment a line.

  1. dir = ./demoCA —->> dir = X:/demoCA <<----Need an exact path
  2. default_crl_days = 30 —->> default_crl_days = 365
  3. default_md = default —->> default_md = sha256
  4. default_bits = 1024 —->> default_bits = 2048
  5. # req_extensions = v3_req —->> req_extensions = v3_req
    Adding lines.

  1. subjectAltName = @alt_names to [ v3_req ] area.
  2. [ alt_names ]
    DNS.1 = example.com
    DNS.2 = www.example.com
    to just before [ v3_ca ] area.
     
    You can add your domains, like DNS.1, DNS.2, DNS.3, ….
  3. If you make a client certificate, add the followings to the end of the openssl.cnf.
    [ ssl_client ]
    basicConstraints = CA:FALSE
    nsCertType = client
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    nsComment = "OpenSSL Certificate for SSL Client"

   Now I’ll create new certificate. (Ref : WordPress: Administration Over SSL #1)

    ||Create myCA||

  1. Make myCA folder at X:/
  2. Make two folders and a file named private, newcerts and index.txt in the myCA.
  3. Run cmd.exe as Administrator
    pushd X:myCA
    echo 01 > serial
    openssl req -new -keyout privatecakey.pem -out careq.pem
    openssl ca -selfsign -in careq.pem -extensions v3_ca -out cacert.pem
    copy cacert.pem (Drive_SV):Apache24confssl.crt
    copy cacert.pem my_ca.crt

      Note) (Drive_SV) is a partition for server components on my home server PC.
    ||Create Server Cert||

  1. pushd X:myCA
    openssl genrsa -out server.key 2048
    openssl req -new -out server.csr -key server.key
  2. Check multiple SANs in the CSR (Can you see ‘Subject Alternative Name’ area in it?)
    openssl req -text -noout -in server.csr
  3. openssl ca -in server.csr -out server.crt -extensions v3_req
    copy server.key cp_server.key
    openssl rsa <cp_server.key> server.key
    copy server.key (Drive_SV):Apache24conf
    copy server.crt (Drive_SV):Apache24conf
    ||Create Client Cert||

  1. pushd X:myCA
    openssl req -new -keyout client.key -out client.csr
    openssl ca -policy policy_anything -extensions ssl_client -in client.csr -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12

References about SANs : FAQ/subjectAltName (SAN), Multiple Names on One Certificate.

   I have a self-sighed certificate with SANs and SHA256 now. Mission complete!!

Categories
Windows

Memorandum #7.

同一記事の日本語版
Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.

Categories
Windows

A batch file of jpegtran for overwriting on Windows.

同一記事の日本語版
Update information      Edit(2016.Oct.29)

   When I use jpegtran on Windows, it’s very inconvenient. So I made a batch file for myself, which overwrites the original jpeg file with the new optimize jpeg file.
@echo off
setlocal enabledelayedexpansion
pushd %~dp0
for %%a in (%*) do (
set OutFile=%%~na%%~xa
jpegtran -copy none -optimize -outfile !OutFile! %%a
for %%b in (!OutFile!) do set fileSize=%%~zb
if !fileSize! LSS %%~za (copy !OutFile! %%a>nul)
del !OutFile!
)
popd
exit
   Bacicaly, the batch file replaces original jpeg files with new ones, but it leaves original files instead new ones when the new file is bigger than the original. This sometimes occurs if the original was created by some graphics editors. Around 100 files possible at one time. This maybe depends on cmd.exe ability itself, I think.

   How to use the batch file:

  1. Copy & paste the above codes to a text editor, and save it as a batch file named ‘jpegtran.bat’ or something. You can have ‘jpegtran.txt’ from here. Change its extension from txt to bat.
  2. Copy the batch file and jpegtran.exe to the same folder.
  3. Drag & Drop the jpeg files you want to optimize onto the batch icon.
  4. That’s it.

   If you use the batch file, please remember the followings. This batch file makes overwriting, so it leaves no original files.

   I optimized all jpeg files in my sites. Now, I have no suggestion about jpeg files from PageSpeed Insights. Clap, clap.

References:
   1. List of DOS commands (Japanese)
   2. Jpegtran’s help

Edit(2016.Oct.29):
   This post has a few visitors. So, I added some though I wrote this long before 😋.

   You can place the folder (in which, jpegtran.exe and jpegtran.bat) anywhere in your PC. For your convenience, you should create a shortcut of jpegtran.bat on your Desktop. The shortcut ability equals jpegtran.bat itself.
   You can do bulk actions for jpeg files are in some ranges by the batch file. Search jpeg files for the ranges and “Select All” then Drag&Drop.