Showing posts with label httpd. Show all posts
Showing posts with label httpd. Show all posts

Thursday, May 16, 2019

Apache SSL and ciphersuites

Useful commands and links

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite


openssl ciphers -v

http://www.openssl.org/docs/apps/ciphers.html

httpd -v
httpd -V

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

openssl s_client -connect 129.123.123.112:443

yum list all
yum install nmap


nmap -p 443 --unprivileged -script ssl-enum-ciphers 129.123.123.112

https://www.tecklyfe.com/nmap-script-test-ssl-versions-cipher-suites/

SSLCipherSuite HIGH:!aNULL:!MD5

SSLCipherSuite HIGH:!aNULL:!MD5:!SSLv3:!TLSv1

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.0: No supported ciphers found
|   TLSv1.1: No supported ciphers found
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong




https://en.wikipedia.org/wiki/Évariste_Galois

talking about GCM ciphers https://en.wikipedia.org/wiki/Galois/Counter_Mode






Posted by vernetto at 2:01 PM 0 comments
Labels: ,

Wednesday, January 9, 2019

apache httpd on centos

sudo yum install httpd mod_ssl
systemctl status httpd
systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2018-04-28 02:58:49 CEST; 12s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 25955 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 25951 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 25951 (code=exited, status=1/FAILURE)

sudo su -
cd /var/log/httpd/
less error_log

[Sat Apr 28 02:58:49.199587 2018] [core:notice] [pid 25951] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Sat Apr 28 02:58:49.222124 2018] [suexec:notice] [pid 25951] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Apr 28 02:58:49.223152 2018] [ssl:emerg] [pid 25951] (13)Permission denied: AH02201: Init: Can't open server certificate file /home/centos/myapp/mysitename.crt
[Sat Apr 28 02:58:49.223168 2018] [ssl:emerg] [pid 25951] AH02312: Fatal error initialising mod_ssl, exiting.

less /etc/httpd/conf/httpd.conf

<VirtualHost *:443>
  DocumentRoot /var/www/website
  ServerName www.yourdomain.com
  SSLEngine on
  SSLCertificateFile "/home/centos/myapp/mysitename.crt"
  SSLCertificateKeyFile "/home/centos/myapp/mysitename.key"
</VirtualHost>


sudo /usr/sbin/httpd -S 
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.yourdomain.com (/etc/httpd/conf/httpd.conf:107)
         port 443 namevhost www.yourdomain.com (/etc/httpd/conf/httpd.conf:107)
         port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

See also http://www.javamonamour.org/2018/02/apache.html




Posted by vernetto at 5:22 PM 0 comments
Labels: ,
Subscribe to: Posts (Atom)