-
Obtaining TLS certificate information on the command line
Here are a few helpful commands if you want to inspect and dump certificates for analysis or debugging:
-
Debugging NTS problems
Debugging is hard, debugging security protocols doubly so. And there are not many tools and how-to’s available for NTS yet. So, here’s a (short) list of NTS problems I have seen and some tricks for debugging them.
-
Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
Older installations, such as trusty Debian Lenny, come with versions of OpenSSL 0.9.8. The default cipher suite used by TLS Interposer is very restrictive, on purpose. For OpenSSL 0.9.8g, the only remaining cipher is RC4-SHA. Especially when configuring XMPP servers such as ejabberd to use TLS Interposer, RC4-SHA alone can be not enough (e.g., when…
-
Securing fetchmail with improved TLS parameters
fetchmail is the workhorse for downloading mail from legacy addresses. This does not mean that you want to be limited to legacy security for your passwords or mail contents. TLS Interposer helps upgrade security.
-
Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]
![Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]](https://netfuture.ch/wp-content/uploads/2013/11/XMPP-Grade-A.png)
ejabberd is a very fine XMPP server. However, it has very few options to configure its SSL and TLS security settings away from the very weak OpenSSL defaults. The TLS Interposer makes securing TLS used by ejabberd a breeze.
-
Upgrading Apache 2.2 OpenSSL security with TLS Interposer
Undoubtedly, you will have heard about the weaknesses of old SSL and TLS protocol versions and ciphers. Web browsers have been updated; but the server administrators are left alone: For stability reasons, many run long-term support editions such as Ubuntu 12.04 LTS. Even without that, most will stick to the reliability of Apache 2.2, hesitant…
-
Eliminate BEAST, CRIME, Lucky13, RC4, SSLv3 weaknesses from binary/legacy applications
Security is hard. Security that works with a variety of platforms under a flurry of circumstances with an endless choice of applications is practically impossible. SSL and TLS, the Internet security workhorses, try to achieve this feat … and fail from time to time. While some software has been updated, not all of it has.…
-
How to create DNSsec DANE TLSA entries
Rationale One of the most promising features for DNSsec is the ability to tell a client which certificate to expect when connecting via Transport Layer Security (TLS). RFC 6698 specifies how TLS Authentication information can be put into DNSsec. So when you ask for the IP address of the server, you can simultaneously obtain the information which…