My Web server supports TLSv1.3 now.

TLSv1.3   Apache 2.4.37 from Apache Lounge supported TLSv1.3, so I enabled TLSv1.3 on my Web server which runs on Windows7 HP SP1 32-bit. I only changed from SSLProtocol -all +TLSv1.2 to SSLProtocol -all +TLSv1.2 +TLSv1.3. I did nothing about SSLCipherSuite Directive because the SSL_CTX_set_cipher_list page says ‘An empty list is permissible’.
The default value for the this setting is: “TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256”

   Here is the results before and after of SSL Labs Server Test.

From dehydrate to mod_md, Let’s Encrypt Tool.

Update information      Edit(Nov.16)  Edit2(Nov.30)

   Early this morning, I changed Let’s Encrypt Tool from dehydrated to mod_md. On August 17, Steffen announced “mod_md is available for 2.4.27 VC15”. I did nothing about it though I became curious, because I was busy and I already used ‘dehydrated’. But the day before yesterday, I found “ACME Support in Apache HTTP Server Project”. So I decided to use ‘mod_md’ yesterday.
Continue reading “From dehydrate to mod_md, Let’s Encrypt Tool.”

Doing CHACHA and Brotli with Apache 2.4 on Windows.

Update information      Edit(May 2)

   Last October, I wrote “CHACHA20 Apache official version already supports but Apache Lounge version 2.4.23, which is my server current version, hasn’t yet“. On April 19, Steffen announced Apache 2.4.26-Dev available with Openssl 1.1.0e VC14. So, we can use CHACHA20_POLY1305 in the Windows version Apache now. For enabling the cipher you need to add CHACHA20-POLY1305 things to the SSLCipherSuite of the httpd-ssl.conf and reboot the Apache. Continue reading “Doing CHACHA and Brotli with Apache 2.4 on Windows.”

I’ve updated to phpMyAdmin4.6.6.

   I’ve updated to phpMyAdmin4.6.6. After that, the new version gave me “OpenSSL error: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length” at HOME when I logged in.
   This is maybe because of this 👉 $cfg[‘Servers’][$i][‘ssl_verify’].

   The page says “Disabling the certificate verification defeats purpose of using SSL. This will make the connection vulnerable to man in the middle attacks.”, but my SQL server and phpMyAdmin don’t accept accesses from outside of NAT router and the user is only me. So, as my temporal workaround, I added the next line to my config.inc.php.

$cfg['Servers'][$i]['ssl_verify'] = false;

Letsencrypt.sh on Windows-#4.

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
   On October 7, when I tested my site by SSL Server Test, I found ‘OCSP Must Staple Not Supported’ on it. So, I re-checked the old test report and also saw ‘OCSP Must Staple Not Supported’ there. I talked about this with くりくりさん at my Japanese blog comments. We also talked about Extended Validation(EV), CHACHA20, and Certificate Transparency(CT). But, these three are not available for my server now. EV is expensive. CHACHA20 Apache official version already supports but Apache Lounge version 2.4.23, which is my server current version, hasn’t yet. If I want to use, I need to build the supported version by myself. This is difficult for me. CT Apache hasn’t supported yet.
   However, I changed several things about my server TLS environment.
Continue reading “Letsencrypt.sh on Windows-#4.”

Letsencrypt.sh on Windows-#3.

Update information      Edit(Oct.26)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
   On September 17, I got the first success of the renewal of Let’s Encrypt Certificates. The script and my batch made it at the daily task. I found the file differences in my Certs folder on the server like this ☟.

Continue reading “Letsencrypt.sh on Windows-#3.”

Letsencrypt.sh on Windows-#2.

Update information      Edit(Sep.19)  Edit2(Oct.26)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
[Sep.19]    As I had a success about the first renewal of the Let’s Encrypt Certs automatically, I posted a new article. ☞“Letsencrypt.sh on Windows-#3”
   By the way, they renamed project from letsencrypt.sh to dehydrated. So you can find the project at https://github.com/lukas2511/dehydrated/releases. Therefore, read letsencrypt.sh as dehydrated in my article.
========================================================
   Continued from my last post.
   Now, I’ll write HowTO renew certs automatically by Letsencrypt.sh. Once I made the batch file which didn’t work well because of letsencrypt-win-simple limitation. But the part which was not related to letsencrypt-win-simple worked well.
Continue reading “Letsencrypt.sh on Windows-#2.”

Letsencrypt.sh on Windows-#1.

Update information      Edit(Sep.19)  Edit2(Oct.26)  Edit3(2017.Jul.9)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26]    As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
[Sep.19]    As I had a success about the first renewal of the Let’s Encrypt Certs automatically, I posted a new article. ☞“Letsencrypt.sh on Windows-#3”
   By the way, they renamed project from letsencrypt.sh to dehydrated. So you can find the project at https://github.com/lukas2511/dehydrated/releases. Therefore, read letsencrypt.sh as dehydrated in my article.
========================================================
   As I wrote, the script letsencrypt-win-simple doesn’t support the renewal of certificates on Apache Windows version still now, and the official client, that’s certbot, also doesn’t support Apache on Windows OS. So, I think I use the other script named letsencrypt.sh.
Continue reading “Letsencrypt.sh on Windows-#1.”

Let’s Encrypt new certs compatible with Windows XP.

   They announced Let’s Encrypt certs issued after 1pm Pacific today are compatible with Windows XP. The longer explanation is here. But even after reading it, I have why. On its replies, there are a lot of pros and cons. Continue reading “Let’s Encrypt new certs compatible with Windows XP.”