Posts for the month of April 2021

Hardening TLS webserver to be 100% with internet.nl

Following the SIDN blogposts on implementing SPF, DKIM and DMARC in PostFix and implementing DANE in Postfix I got myself interested in getting two times an 100% score at the testing service internet.nl. The first badge is earned for mail services and secondly for web services.

Unfortually I cannot find a guide available which implements the IT Security Guidelines for Transport Layer Security (TLS) from National Cyber Security Centre (NCSC) within Apache HTTPD 2.4, which is my default webserver of choice.

I went for 'good'-ish instead of 'suffient', since I can manage the fall-out if stuff breaks in unexpected ways.

Alter change ssl_module settings, I am running FreeBSD www/apache24, so mine are found at /usr/local/etc/apache24/extra/httpd-ssl.conf: 

SSLCipherSuite 'HIGH:-EXP:-LOW:-MEDIUM:-aNULL:-eNULL:-SRP:-PSK:-kDH:-ADH:-AECDH:-kRSA:-DSS:-RC4:-DES:-IDEA:-SEED:-ARIA:-AESCCM8:-3DES:-MD5:-DH'
SSLProxyCipherSuite 'HIGH:-EXP:-LOW:-MEDIUM:-aNULL:-eNULL:-SRP:-PSK:-kDH:-ADH:-AECDH:-kRSA:-DSS:-RC4:-DES:-IDEA:-SEED:-ARIA:-AESCCM8:-3DES:-MD5:-DH'

SSLHonorCipherOrder on 

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600

The 'magic' value posted at SSLCipherSuite is interpreted by openSSL to a list of available ciphers to use. For example: 

openssl ciphers -v 'HIGH:-EXP:-LOW:-MEDIUM:-aNULL:-eNULL:-SRP:-PSK:-kDH:-ADH:-AECDH:-kRSA:-DSS:-RC4:-DES:-IDEA:-SEED:-ARIA:-AESCCM8:-3DES:-MD5:-DH'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1

The optional features of hardening websites was a bit more troublesome. Take a good read at the documentation at Mozilla Developer Network (MDN) of Access-Control-Allow-Origin, X-Frame-Options, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy and Referrer-Policy. Especially Content-Security-Policy is troublesome since it disallows inline javascripts, which broke some unexpected functionality.

To enable include snippet in VirtualHost entry or httpd.conf root if you like to have it enabled globally. 

# Make sure headers_module is loaded/enabled
Header always set Access-Control-Allow-Origin "*"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self'; frame-ancestors 'self'"
Header always set Referrer-Policy "same-origin"

Restart your Apache HTTPD webserver and get yourself tested at internet.nl.

Foscam VMS not showing device username/password

I changed a username/password to of one of my foscam devices, which I forgot to write down. The password was stored in the 'Foscam VMS' application, how-ever the GUI did not allow me to retrieve it.

Luckily for me the application was written in .NET and was very well debug-able. With tooling like ILSpy and dnSpy, the the database was found to be SQLite with encrypting using Legacy_CryptoAPI, which is deprecated/removed.

Wrote some glue-code (see attached) to remove encryption from the database. The decryption password was stored plain text in code.

Next browsing the database with SQLite Browser and mission accomplished.

Microsoft Teams meeting without looking at yourself

I find looking at myself when attending an MS teams call really distracting. It feels like looking at the mirror how-ever with just a very small delay.

Apparently I am not the only one who has to deal with this issue and not liking it.

Turning off the video feature is not the preferred option, since I do think conversations with video makes a better conversation.

The good old solution is a sticky note glued to your screen, covering your selfview. A more elegant digital alternative can be produced by using 'Sticky Notes' and an open source application called DeskPins.

Much bettter: