The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

openssl: checking out RSA private key files in .rsa and .pem format

Posted by jpluimers on 2019/03/19

While checking out an issue with the SSH server for ContinuaCI issue (see info below), I wanted to look at the files leading to the issue: .pem and .rsa files with the private key for the SSH server.

So I browsed through my series of openssl related articles to see if I already had made a script better explaining the cryptic openssl command-line parameters. I didn’t have it yet, but it turned out to be really simple:

C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa -text
Private-Key: (1024 bit)
modulus:
    ..:..:..:.....
publicExponent: 35 (0x23)
privateExponent:
    ..:..:..:.....
prime1:
    ..:..:..:.....
prime2:
    ..:..:..:.....
exponent1:
    ..:..:..:.....
exponent2:
    ..:..:..:.....
coefficient:
    ..:..:..:.....
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem
Enter pass phrase for server_keypair.pem:
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem -passin pass:password
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

The command-lines use the [WayBack]rsa tool with:

  • the -in parameter
  • (for the first file) the -text parameter to dump it into human readable form
  • (for the second file) the -passin parameter with a [WayBackpass phrase argument pass:password.

The server_keypair.pem file (having the header -----BEGIN ENCRYPTED PRIVATE KEY----- and footer -----END ENCRYPTED PRIVATE KEY-----) was a password protected RSA private key where somehow ContinuaCI had the wrong password for.

I’m not sure it’s a good idea that the server_keypair.pem file has not password at all.

Read the rest of this entry »

Posted in Continua CI, Continuous Integration, Development, OpenSSL, Power User, Security, Software Development | Leave a Comment »

{Updated} Linux server security checklist. #sysadmin 

Posted by jpluimers on 2019/03/11

Most tips are OK, but:

  1. for password related policies, please read these:
  2. If you do DNS, implement DNSSEC
  3. I think ipv6 is OK, but like ipv4 needs to be firewalled
  4. Be really careful with fail2ban and similar tools: they are easy ways to lock yourself out as well, for instance by someone doing a nice (D)DoS on you.

Tips: [WayBack40 Linux Server Hardening Security Tips [2017 edition] – nixCraft

Via:

–jeroen

Posted in *nix, *nix-tools, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

Posted by jpluimers on 2019/03/06

If I ever need to get LetsEncrypt to work with CloudFlare, then I need to read [WayBackInstalling Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

The steps there should save me hours.

Via [WayBcack] Free Let’s Encrypt SSL/TLS certificates are even easier to install than self-signed certificates. I could do so in 2 minutes in my +Linode … – Jean-Luc Aufranc – Google+.

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Calls from +18553308653 might be because someone is trying to use your phone number to setup a Microsoft account two factor authentication

Posted by jpluimers on 2019/02/18

Got some calls to my phone numbers in The Netherlands from +18553308653 that I did not ask for. The below searches revealed it is likely someone trying to use those to setup Two Factor Authentication.

It was not my live account, as that was already covered by the Microsoft Authenticator app (you can set up your phone number through account.live.com/names/Manage and authentication through account.microsoft.com/security, see steps at [WayBack] Microsoft – Authy).

Read the rest of this entry »

Posted in Authentication, Power User, Security | Leave a Comment »

Google’s Phishing Quiz shows why Google AMP (Accelerated Mobile Pages) is a bad idea

Posted by jpluimers on 2019/01/25

This week, Google introduced the [WayBack] Phishing Quiz, a series of questions to see how good you spot phishing emails.

It is a perfect example on why Google AMP is a bad idea: it makes it easier to write phishing mail targeting Google users.

One of the questions is about a password change email seemingly from Google with a link by Google.

The link is really deceptive, as it:

  1. uses Google AMP (Accelerated Mobile Pages) which are hosted directly through a root path on the Google main domain: the URL starts with https://google.com/amp
  2. Especially on mobile, Google accelerates a lot of things through Google AMP, so a link on mobile that looks like this might be legit

This will deceive a lot of people as they are trained to look at the main domain to assess authenticity: google.com

That combined with an email domain that also looks being from Google (with so many real word top-level domains, many would not be surprised getting email from no-reply@google.support)

Just look at the below screenshot to see how deceptively this trick is.

Solution

Read the rest of this entry »

Posted in Google, LifeHacker, Power User, Security | Leave a Comment »

Don’t forget your padding… playing with the APK format of a sample “Hello world” Android app

Posted by jpluimers on 2019/01/23

Don’t forget your padding: Hello,I’m playing with the APK format of a sample “Hello world” Android application.my (first) goal is to be able to rebuild an APK from a unzipped one… – Paul TOTH – Google+

References: RSA Algorithm

–jeroen

Posted in Android, Development, Encryption, Mobile Development, Power User, Security, Software Development | Leave a Comment »

Tools for TCP tunnels over HTTP/HTTPS

Posted by jpluimers on 2019/01/16

With the advent of WebSockets, it looks like TCP tunnels over HTTP/HTTPS are gaining more ground and I need to put some research time in them.

Some old to new links:

CONNECT requests are not supported by many HTTP proxies, especially in larger organisations, so chisel and crowbar have a much bigger chance there.

And of course there is SoftEtherVPN/SoftEtherVPN: A Free Cross-platform Multi-protocol VPN Software. * For support, troubleshooting and feature requests we have http://www.vpnusers.com/. For critical vulnerability please email us. (mail address is on the header.).

However, that is a VPN solution which is much broader than just a single TCP tunnel. You can so similar things with OpenVPN, but over HTTP/HTTPS, also requires CONNECT:

SoftEtherVPN seems to be more versatile though. I blogged about that before, but back then didn’t have needs for it yet. VPN over HTTPS: Ultimate Powerful VPN Connectivity – SoftEther VPN Project.

–jeroen

via: [WayBackVPN through only http – Server Fault answer by [WayBack] neutrinus

Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Network-and-equipment, OpenVPN, Power User, TCP, VPN, WebSockets, Windows-Http-Proxy | Leave a Comment »

Top 25 Most Dangerous Programming Mistakes

Posted by jpluimers on 2019/01/15

10 years after the publication of the [WayBack] Top 25 Most Dangerous Programming Mistakes, the list for me is still the same.

You can see this from the CWE/SANS revisions: 1.0 in 2009 until 1.0.3 in 2011: not much changed.

Via: [WayBack] Top 25 Most Dangerous Programming Mistakes (2009) – Lars Fosdal – Google+

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

oath-toolkit / oath-toolkit · GitLab

Posted by jpluimers on 2019/01/15

Interesting library with ditto command-line tools: [Wayback/Archive] oath-toolkit / oath-toolkit · GitLab.

It allows you to perform all sorts of OAUTH operations from your code or terminal window including generation and verification of OAUTH tokens through [WayBackOATHTOOL.

Which allows you to do TOTP “zero fucktor” authentication. [WayBack/Archive] Zero Fucktor Authentication – Kristian Köhntopp – Google+: [WayBackZero Factor Authentication – The Isoblog.

The project has it’s home at [WayBackOATH Toolkit, but the repository has done some traveling and for now ended up at GitLab: [Wayback/Archiveoath-toolkit / oath-toolkit together with the web-site source [Wayback/Archive] oath-toolkit / website.

Edit 20230917

Read the rest of this entry »

Posted in Development, Power User, Security, Software Development | Leave a Comment »

If parts of your letsencrypt renewals succeed and others give you “urn:acme:error:connection” then just retry

Posted by jpluimers on 2018/12/10

On the same server, part of my letsencrypt renewals worked fine, while others had an error like this:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/spring4d.4delphi.com.conf produced an unexpected error: Failed authorization procedure. spring4d.4delphi.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
...
 - The following errors were reported by the server:

   Domain: spring4d.4delphi.com
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

A retry worked fine:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
...
The following certs were successfully renewed:
  /etc/letsencrypt/live/spring4d.4delphi.com/fullchain.pem (success)

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

« Previous Entries
Next Entries »