March 2019
M	T	W	T	F	S	S
« Feb
	1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Archive for the ‘https’ Category

Tools for TCP tunnels over HTTP/HTTPS

Posted by jpluimers on 2019/01/16

With the advent of WebSockets, it looks like TCP tunnels over HTTP/HTTPS are gaining more ground and I need to put some research time in them.

Some old to new links:

Source: elia/corkscrew: Corkscrew mirror repo. Corkscrew is a tool for tunneling SSH through HTTP proxies. (which requires CONNECT)
- it seems defunct as the domain is for sale: [WayBack] corkscrew
q3k/crowbar: Tunnel TCP over a plain HTTP session (does not require CONNECT: works with GET and POST requests)
jpillora/chisel: A fast TCP tunnel over HTTP

CONNECT requests are not supported by many HTTP proxies, especially in larger organisations, so chisel and crowbar have a much bigger chance there.

And of course there is SoftEtherVPN/SoftEtherVPN: A Free Cross-platform Multi-protocol VPN Software. * For support, troubleshooting and feature requests we have http://www.vpnusers.com/. For critical vulnerability please email us. (mail address is on the header.).

However, that is a VPN solution which is much broader than just a single TCP tunnel. You can so similar things with OpenVPN, but over HTTP/HTTPS, also requires CONNECT:

SoftEtherVPN seems to be more versatile though. I blogged about that before, but back then didn’t have needs for it yet. VPN over HTTPS: Ultimate Powerful VPN Connectivity – SoftEther VPN Project.

–jeroen

via: [WayBack] VPN through only http – Server Fault answer by [WayBack] neutrinus

Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Network-and-equipment, OpenVPN, Power User, TCP, VPN, WebSockets, Windows-Http-Proxy | Leave a Comment »

Use TLS 1.2 or higher, as TLS 1.1 is phased out on many sites, after TLS 1.0/SLL has been disabled by most for a while now

Posted by jpluimers on 2018/07/23

If you get an error like this in one of your tools

OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

it means you are using a tool not yet properly supporting TLS 1.2 or higher.

Or in other words: update your tool set.

The reason is that – after turning off TLS 1.0 a while ago – more and more sites do the same for TLS 1.1.

A prime example of a site that warned on this in a clear way very early on is github:

2017-02-27: [WayBack] Discontinue support for weak cryptographic standards | GitHub Engineering
2018-02-01: [WayBack] Weak cryptographic standards removal notice | GitHub Engineering (including a list of incompatible clients)
2018-02-02: [WayBack] Weak cryptographic standards removal notice | The GitHub Blog
2018-02-23: [WayBack] Weak cryptographic standards removed | The GitHub Blog

Others have done this too, for instance:

TLS 1.0 is vulnerable to many attacks, and certain configurations of TLS 1.1 as well (see for instance [WayBack] What are the main vulnerabilities of TLS v1.1? – Information Security Stack Exchange), which means that properly configuring the non-vulnerable TLS 1.1 over times gets more and more complex. An important reason to say goodbye to that as well, as TLS 1.2 (from 2008) is readily available for a long time. The much more recent TLS 1.3 (from 2018) will take a while to proliferate.

I ran in the above error because on one of my systems, an old version of wget was luring around, so I dug up the easiest place to download recent Windows binaries for both win32 (x86) and win64 (x86_64):

[WayBack] eternallybored.org: GNU Wget for Windows having a table indicating the OpenSSL version for each wget build.

–jeroen

Reference: Transport Layer Security – Wikipedia: History and development

Posted in *nix, https, HTTPS/TLS security, OpenSSL, Power User, Security, wget | Leave a Comment »

Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL

Posted by jpluimers on 2018/03/07

It was fitting to bump into [WayBack] Packet Sender is a good tool when debugging protocols…” Written by Dan Nagle… – Lars Fosdal – Google+ on the day presenting [WayBack] Conferences/Network-Protocol-Security.rst at master · jpluimers/Conferences · GitHub

It also means that libssh2-delphi is getting a bit more love soon and will move to github as well after a conversion from mercurial.

Some of the things I learned or got confirmed teaching the session (I love learning by teaching):

Automate the heck out of your job and new work finds you
There is great integration for [WayBack] Bot Users | Slack which can hugely help you in status monitoring
If you manage many domains, which might be troublesome to the default “certbot client”, so you might want to look into different [WayBack] ACME Client Implementations – Let’s Encrypt – Free SSL/TLS Certificates especially if you run nginx on Alpine Linux (but note you then need [WayBack] license_update.patch\acme-client\community – aports – Main aports tree to avoid [Archive.is] [400] does not match current agreement URL – Help – Let’s Encrypt Community Support)

Here is some more info:

Blurb: “[a] free utility to send & receive network packets. TCP, UDP, SSL.”
[WayBack] Packet Sender – Free utility to for sending / receiving of network packets. TCP, UDP, SSL.
[WayBack] The latest Tweets from Dan Nagle (@NagleCode). Principal SW Engineer @HARMAN_Pro. Speaker. Author packetsender.com, paydowncalc.com, cryptoknife.com, github.com/dannagle . Huntsville, AL,
[WayBack] Packet Sender – Send / Receive TCP / UDP – Android Apps on Google Play
[WayBack] dannagle (Dan Nagle) · GitHub dannagle has 23 repositories available. Follow their code on GitHub.

–jeroen

Read the rest of this entry »

Posted in Communications Development, Delphi, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), OpenSSL, Power User, Security, Software Development, TCP, TLS | Leave a Comment »

badssl.com

Posted by jpluimers on 2018/01/11

I wish I had bumped into this when it got released in 2015: [WayBack] badssl.com hosted in the cloud and maintained by two people from Google and Mozilla.

Where ssllabs.com is for checking server-side certificates, this one is for checking clients against many, many (did I already write MANY?) server side configurations both good (with a varying set of security settings like cyphers and key exchanges) and bad.

One of the bad ones is expired.badssl.com which your clients should not be able to connect to without throwing a big error.

Sources are at [WayBack] GitHub – chromium/badssl.com: Memorable site for testing clients against bad SSL configs.

Before using, please read their

Disclaimer

badssl.com is meant for manual testing of security UI in web clients.

Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)

badssl.com is not an official Google product. It is offered “AS-IS” and without any warranties.

–jeroen

Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Security, Software Development, TCP, TLS, Web Development | Leave a Comment »

Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers

Posted by jpluimers on 2017/12/15

Still some work to do for some of my sites:

https://www.ssllabs.com/ssltest/

https://securityheaders.io/

https://tls.imirhil.fr/

https://observatory.mozilla.org

–jeroen

[WayBack] Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers

Posted in Communications Development, Development, Encryption, https, Internet protocol suite, Power User, Security, TLS | Leave a Comment »

« Previous Entries

	Peter Wright on 7zip / 7za command-line parame…
	rvelthuis on Link archive: to investigate…
	rvelthuis on Link archive: to investigate…
	rvelthuis on Link archive: to investigate…
	rvelthuis on Smart Pointers code that compi…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘https’ Category

Tools for TCP tunnels over HTTP/HTTPS

Use TLS 1.2 or higher, as TLS 1.1 is phased out on many sites, after TLS 1.0/SLL has been disabled by most for a while now

Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL

badssl.com

Disclaimer

Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘https’ Category

Tools for TCP tunnels over HTTP/HTTPS

Rate this:

Share this:

Like this:

Use TLS 1.2 or higher, as TLS 1.1 is phased out on many sites, after TLS 1.0/SLL has been disabled by most for a while now

Rate this:

Share this:

Like this:

Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL

Rate this:

Share this:

Like this:

badssl.com

Disclaimer

Rate this:

Share this:

Like this:

Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers

Rate this:

Share this:

Like this: