TLS: Difference between revisions

(8 intermediate revisions by one other user not shown)

Line 7:

Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)

== ~~Upgraded Security~~ ==

=== Checking Ciphers ===

~~We used~~ to ~~run certificates~~ from ~~StartSSL because they offer free one~~-~~year certificates~~. ~~However~~, ~~today we upgraded to using 'LetsEncrypt'~~ and ~~our certificates~~ are ~~both~~ more ~~secure~~ and ~~easier to manage~~. ~~Instead~~ of a ~~"B" grade~~, ~~we now have~~ "A" ~~grade security~~.

You can use nmap to port scan a host (Do NOT do this on hosts you don't control... it's like poking a hornets nest, you're not sure what's going to happen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your host. The description below is from <code>/usr/share/nmap/scripts/ssl-enum-ciphers.nse</code>)

[[~~File:AGrade.png|left|500px~~]] ~~[[File:BGrade~~.~~png|right|500px]]~~

This script repeatedly initiates SSL/TLS connections, each time trying a new

cipher or compressor while recording whether a host accepts or rejects it. The

end result is a list of all the ciphers and compressors that a server accepts.

Each cipher is shown with a strength rating: one of <code>strong</code>,

<code>weak</code>, or <code>unknown strength</code>. The output line

beginning with <code>Least strength</code> shows the strength of the

weakest cipher offered. If you are auditing for weak ciphers, you would

want to look more closely at any port where <code>Least strength</code>

is not <code>strong</code>. The cipher strength database is in the file

<code>nselib/data/ssl-ciphers</code>, or you can use a different file

through the script argument

<code>ssl-enum-ciphers.rankedcipherlist</code>.

SSLv3/TLSv1 requires more effort to determine which ciphers and compression

methods a server supports than SSLv2. A client lists the ciphers and compressors

that it is capable of supporting, and the server will respond with a single

cipher and compressor chosen, or a rejection notice.

This script is intrusive since it must initiate many connections to a server,

and therefore is quite noisy.

nmap --script +ssl-enum-ciphers example.com

</syntaxhighlight>

Using [[Certbot]], you can manage your certificates.

== Resources ==

# [[wp:Transport Layer Security|Transport Layer Security]]

~~# https://letsencrypt.org/getinvolved/ Get Involved with Lets Encrypt~~

~~## https://letsencrypt.org/getting-started/ Getting Started~~

~~## https://github.com/letsencrypt/letsencrypt Code on GitHub~~

~~## https://letsencrypt.readthedocs.org/en/latest/ Docs~~

# https://wiki.mozilla.org/Security/Server_Side_TLS

# https://security.stackexchange.com/

# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]

# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]

# [https://tls.ulfheim.net/ TLS illustrated]

[[Category:Security]]

[[Category:System Administration]]

@@ Line 7: / Line 7: @@
 Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
-== Upgraded Security ==
+=== Checking Ciphers ===
-We used to run certificates from StartSSL because they offer free one-year certificates.  However, today we upgraded to using 'LetsEncrypt' and our certificates are both more secure and easier to manage.  Instead of a "B" grade, we now have "A" grade security.
+You can use nmap to port scan a host (Do NOT do this on hosts you don't control... it's like poking a hornets nest, you're not sure what's going to happen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your host.  The description below is from <code>/usr/share/nmap/scripts/ssl-enum-ciphers.nse</code>)
-[[File:AGrade.png|left|500px]] [[File:BGrade.png|right|500px]]
+This script repeatedly initiates SSL/TLS connections, each time trying a new
+cipher or compressor while recording whether a host accepts or rejects it. The
+end result is a list of all the ciphers and compressors that a server accepts.
+Each cipher is shown with a strength rating: one of <code>strong</code>,
+<code>weak</code>, or <code>unknown strength</code>. The output line
+beginning with <code>Least strength</code> shows the strength of the
+weakest cipher offered. If you are auditing for weak ciphers, you would
+want to look more closely at any port where <code>Least strength</code>
+is not <code>strong</code>. The cipher strength database is in the file
+<code>nselib/data/ssl-ciphers</code>, or you can use a different file
+through the script argument
+<code>ssl-enum-ciphers.rankedcipherlist</code>.
+SSLv3/TLSv1 requires more effort to determine which ciphers and compression
+methods a server supports than SSLv2. A client lists the ciphers and compressors
+that it is capable of supporting, and the server will respond with a single
+cipher and compressor chosen, or a rejection notice.
+This script is intrusive since it must initiate many connections to a server,
+and therefore is quite noisy.
+<syntaxhighlight lang="bash">
+nmap --script +ssl-enum-ciphers example.com
+</syntaxhighlight>
+Using [[Certbot]], you can manage your certificates.
 == Resources ==
 # [[wp:Transport Layer Security|Transport Layer Security]]
-# https://letsencrypt.org/getinvolved/ Get Involved with Lets Encrypt
-## https://letsencrypt.org/getting-started/ Getting Started
-## https://github.com/letsencrypt/letsencrypt Code on GitHub
-## https://letsencrypt.readthedocs.org/en/latest/ Docs
 # https://wiki.mozilla.org/Security/Server_Side_TLS
 # https://security.stackexchange.com/
 # [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
+# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
+# [https://tls.ulfheim.net/ TLS illustrated]
 [[Category:Security]]
 [[Category:System Administration]]