August 30, 2016

Troubleshoot PKI and SSL Certificate Issues in Windows

With Windows Event Viewer you can get valuable information for PKI and SSL problems.

  1. Open Event View with eventvwr.exe
  2. Open Applications and Services Logs\Microsoft\Windows\CAPI2 directory
  3. Right Click on CAPI2 and Enable Log
Now log is active and you will recieve log.




August 24, 2016

How To List Certificates on Smart Card with KeyTool on Windows with SunMSCAPI

You can list your private certifacates on Windows with SunMSCAPI.

keytool.exe -list -keystore NONE -storetype Windows-MY -providerClass sun.security.mscapi.SunMSCAPI -v

And to list trusted CA certs.

keytool.exe -list -keystore NONE -storetype Windows-ROOT -providerClass sun.security.mscapi.SunMSCAPI -v

How To List Certificates on Smart Card with KeyTool

You can list your certificates on smart card with keytool and PKCS11

$ keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /foo/bar/token.config -v

And in token.config you specify you PKCS#11 implementation.

name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so

On Windows it will be a DLL.

Se also http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

August 17, 2016

View Certificate in Windows

Open Windows Run and enter certmgr.msc.



For more information see https://msdn.microsoft.com/en-us/library/e78byta0(v=vs.110).aspx.

August 15, 2016

Introduction to firewalld in RHEL 7

Overview

Figure The Firewall Stack https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

firewall-cmd

Everything in firewalld are organized in zones.

--list-all-zones List everything for every zones.
--get-active-zones Print currently active zones altogether with interfaces and sources used in these zones.
--get-default-zone Print default zone for connections and interfaces.
--set-default-zone=<ZONE> Set default zone for connections and interfaces.
--add-source= [--zone=<ZONE>] Bind source to zone.
--remove-source= [--zone=<ZONE>] Unbind source to zone.
--add-interface= [--zone=<ZONE>] Bind interface to zone.
--change-interface= [--zone=<ZONE>] Bind interface to different zone.

Comments for zones from RHEL 7 Security Guide Using Firewalls.

public For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted All network connections are accepted.

Below are commands to alter firewall. All command are only added in runtime and first adding options --permanent while it be written to disk and made permanent.

--get-services List all predefined services.
--add-service= [--zone=<ZONE>] Open/allow traffic to service.
--remove-service= [--zone=<ZONE>] Remove/deny traffic to serice
--add-port= [--zone=<ZONE>] Open/allow traffic on port and protocol.
--remove-port= [--zone=<ZONE>] Remove/deny on port and protocol.
--reload Reload persistent rules from /usr/lib/firewalld/ and /etc/firewalld/.

Examples

firewall-cmd --set-default-zone=dmz
firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24
firewall-cmd --permanent --zone=internal --add-service=mysql
firewall-cmd --reload

August 11, 2016

Web Browser Error Weak Ephemeral Diffie-Hellman Key

If you receive error message in Firefox:

"SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem."

You first want to patch this server for logjam TLS vulnerabilities (CVE-2015-4000) and if it is a Java based container you also want to set -Djdk.tls.ephemeralDHKeySize=2048.

See also https://access.redhat.com/solutions/1498223