proftpd加裝ssl讓連線ftp時可以加密方式傳輸檔案
作者:cross 日期:2012-01-20 10:20
這個叫作 FTPS = FTP + SSL
有另一個名詞叫 SFTP = SSH + FTP ,也就是把 SSH 當 FTP用,跟FTPS名詞不同,走的協定也不同
相同的是傳輸都有加密
先看 proftpd 有沒有支援 ssl。沒有就安裝(省略)
# proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_codeconv.c
mod_auth_pam.c
mod_ratio.c
mod_readme.c
如何檢查有沒有SSL renegotiation 功能
作者:cross 日期:2011-12-29 17:22
輸入,連線到ssorc.tw的443
openssl s_client -connect ssorc.tw:443
(省略)
(# 輸入以下兩行)
HEAD / HTTP/1.0
(# R 是要求重新談判)
R
RENEGOTIATING
5115:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:
出現error 後跳出,就代表不支援
SSL的弱點-SSL renegotiation
作者:cross 日期:2011-11-02 09:31
http://www.isecutech.com.tw/article/article_detail.aspx?tv=71&aid=6448
作者:張維君 -10/31/2011
許多網友以為只要網站有SSL加密,網址前面是https就可以安心填入個資、安心購物。但實際上這樣的想法恐怕只對了一半。安全研究人員指出,過去3年來,SSL協定的安全疑慮一直未獲得解決。德國駭客團體The Hacker''s Choice為了讓憑證廠商正視此問題,日前釋出一個攻擊工具,利用SSL renegotiation的漏洞,不需要大量頻寬,只要一台筆電就可癱瘓一個https網站。
一直以來,憑證廠商往往告訴網站、消費者,要認明SSL憑證來保護線上交易資料的安全。但實際上他們對於研究人員所提出的SSL漏洞問題,卻不夠重視。早在2009年,就有研究人員發表SSL renegotiation存有漏洞,renegotiation是用於驗證瀏覽器與網站伺服器間的連線。而今透過這個攻擊工具,只要用一台筆電持續對網站發出安全連線請求,就可以快速耗掉伺服器資源,達到讓系統癱瘓的目的。
除此之外,研究人員對SSL憑證的安全性仍有相當質疑,包括2009年SSL加密被破解,以及今年以來部分CA憑證公司遭入侵等。日前安全內容遞送網路(CDN)業者Akamai發表一份網際網路現狀報告,指出2009年以來SSL AES 128-SHA-1加密技術的使用已增加3倍,相對於RC4-MD5-128的使用減少將近2/3。因此,正當使用者、網站業者越來越重視線上交易安全,憑證廠商因盡速確保SSL加密技術如廣告行銷所言般值得信賴。
原文網址: 憑證廠商該修補漏洞了 駭客釋出SSL攻擊工具,Information Security 資安人科技網
用 OpenVPN 2.2.0建構SSL VPN加密連線
作者:cross 日期:2011-07-04 15:01
續: http://ssorc.tw/rewrite.php/read-265.html
Server 端建置
環境
CentOS 5.6 x64
OpenVPN 2.2.0
預設的yum庫沒有openvpn
所以我要用 dar rpm
安裝 OpenVPN
yum install openvpn
OpenVPN本身提供一個小型的KEY的管理工具,它是建構在openssl底下的,套件裝好後,在/usr/share/doc/openvpnXXX目錄下就會有easy-rsa目錄
apache強制某路徑使用https方式連線
作者:cross 日期:2011-06-26 16:31
比方說我的http://ssorc.tw/admin 後台,要登入帳密的地方我需要讓它使用SSL加密連線
就在httpd.conf 設定加入如下設定
<Directory /path/admin>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /path/admin
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https ://%{SERVER_NAME}/admin/$1 [L,R]
# https跟://之間我故意空白,因為會讓我文章無法存檔
</IfModule>
</Directory>
apache + mod_gnutls 達到單一IP多個domain使用SSL服務
作者:cross 日期:2008-09-17 19:26
Apache 無法在單一IP建置SSL給多個 Virtual Host (name-based)使用,也就是說 SSL 服務只能在 ip-based 底下使用,
Apache 官網 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts 說明了一切
http://help.directadmin.com/item.php?id=89Why can't I use SSL with name-based/non-IP-based virtual hosts?
The reason is very technical, and a somewhat "chicken and egg" problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.htmlWhy do I need an owned IP for my own SSL certificate? Last Modified: Oct 26, 2005, 3:20 pm
The reason you must have your own IP address when you want to use your own SSL certificate (when you don't want the server wide shared certificate) is because of the way SSL and apache (httpd) works.
For name based webhosting (when many domains are on one IP) the web browser will pass the name of the domain being requested inside the httpd headers along with the request. This way, apache knows which domain you are trying to access even though there are many domains on that one IP address.
When you do the same thing through an SSL connection, the connection has to be made *before* the request can be sent. In this connection, the certificate is passed. The only information that apache knows before the request is made is which IP the connection is being made to. It has to be able to know which certificate to send before the request is made, thus you can't use mutiple certificates on the same IP (if you do, apache will use the first certificate listed which DA will always set to the server shared certificate for shared IPs).
If you want to use your own certificate, it must be the first certificate listed. This wouldn't work for a shared IP, because there would multiple domain wanting this status, and the first certificate would the one shown. For this resaon the shared certificate is always used on a shared IP. For your certificate, DA will aknowledge the IP as being 'owned' and will remove the server shared certificate as the first cert to be loaded, thus your certificate will be loaded instead.
建置SSL憑證 - OpenSSL
作者:cross 日期:2006-11-14 22:57
利用設定檔方式修改並產生CA、CSR、CRT
Fedora Core release 6 (Zod) + OpenSSL 0.9.8b 04 May 2006
[1.] 製作 CA
/etc/pki/tls/misc/CA -newca
(enter)
Making CA certificate ...
Generating a 1024 bit RSA private key
...................++++++
.........................................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: (輸入密碼)
Verifying - Enter PEM pass phrase: (輸入密碼)
-----
