- Open Event View with eventvwr.exe
- Open Applications and Services Logs\Microsoft\Windows\CAPI2 directory
- Right Click on CAPI2 and Enable Log
I'm dedicated agile security architect/system architect/developer with specialty of open source framework.
August 30, 2016
Troubleshoot PKI and SSL Certificate Issues in Windows
August 24, 2016
How To List Certificates on Smart Card with KeyTool on Windows with SunMSCAPI
You can list your private certifacates on Windows with SunMSCAPI.
keytool.exe -list -keystore NONE -storetype Windows-MY -providerClass sun.security.mscapi.SunMSCAPI -v
And to list trusted CA certs.
keytool.exe -list -keystore NONE -storetype Windows-ROOT -providerClass sun.security.mscapi.SunMSCAPI -v
How To List Certificates on Smart Card with KeyTool
You can list your certificates on smart card with keytool and PKCS11
$ keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /foo/bar/token.config -v
And in token.config you specify you PKCS#11 implementation.
name = FooAccelerator
library = /opt/foo/lib/libpkcs11.so
On Windows it will be a DLL.
Se also http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
August 17, 2016
View Certificate in Windows
For more information see https://msdn.microsoft.com/en-us/library/e78byta0(v=vs.110).aspx.
August 15, 2016
Introduction to firewalld in RHEL 7
Overview
firewall-cmd
Everything in firewalld are organized in zones.
--list-all-zones | List everything for every zones. | --get-active-zones | Print currently active zones altogether with interfaces and sources used in these zones. |
--get-default-zone | Print default zone for connections and interfaces. |
--set-default-zone=<ZONE> | Set default zone for connections and interfaces. |
--add-source= |
Bind source to zone. |
--remove-source= |
Unbind source to zone. |
--add-interface= |
Bind interface to zone. |
--change-interface= |
Bind interface to different zone. |
Comments for zones from RHEL 7 Security Guide Using Firewalls.
public | For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
external | For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
dmz | For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. |
work | For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
home | For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
internal | For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. |
trusted | All network connections are accepted. |
Below are commands to alter firewall. All command are only added in runtime and first adding options --permanent while it be written to disk and made permanent.
--get-services | List all predefined services. |
--add-service= |
Open/allow traffic to service. |
--remove-service= |
Remove/deny traffic to serice |
--add-port= |
Open/allow traffic on port and protocol. |
--remove-port= |
Remove/deny on port and protocol. |
--reload | Reload persistent rules from /usr/lib/firewalld/ and /etc/firewalld/. |
Examples
firewall-cmd --set-default-zone=dmz
firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24
firewall-cmd --permanent --zone=internal --add-service=mysql
firewall-cmd --reload
August 12, 2016
August 11, 2016
Web Browser Error Weak Ephemeral Diffie-Hellman Key
If you receive error message in Firefox:
"SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem."
You first want to patch this server for logjam TLS vulnerabilities (CVE-2015-4000) and if it is a Java based container you also want to set -Djdk.tls.ephemeralDHKeySize=2048.