I've always loved the RandomArt feature in SSH that is used to display a visual representation of a peer's public key. I thought it would be great to extend this to TLS.…
read more...Verify TLS Servers with Random Art
on
Encrypting Files using an RSA Public Key
on
This posts looks at how to encrypt files with RSA using the OpenSSL command. It also shows how RSA public keys can be retrieved from SSH and TLS servers…
read more...Secure SSL configuration for Nginx
on
Here is a handy snippet for configuring a hardened SSL/TLS on Nginx. It receives a A+ rating when tested at Qualys. A later post will discuss the configuration options in detail, what they do, and how SSL works. Just a word of warning, this configuration enables HSTS by default. If enabled, it tells the browser that it (and its subdomains) must only operate in HTTPS mode. Nginx configuration server { ###------IPv4 Listen Address listen <ipv4address>:443 http2 ssl; ###------IPv6 Listen Address # listen <ipv6address>:443 http2 ssl ipv6only=on; ###------Host name server_name <fqdn>; ###------Enable…
read more...Securing services with stunnel
on
Stunnel is a tool that allows you to seamlessly add TLS to most existing services. Stunnel listens on a port, and can either receive encrypted traffic and pass it to an unencrypted destination, or it can receive unencrypted traffic and forward that to an encrypted destination. TLS is commonly used to protect clients from connecting to untrusted servers by verifying the certificate provided by the server. Conversely, servers can prevent unwanted clients from connecting by demanding they provide a valid cert. This means that a stunnel can add a strong layer of access control Table of contents Providing HTTPS to…
read more...TLS Client Authentication with Certificates (nginx + easyrsa)
on
Today we will learn how to set up Nginx so that clients have to authenticate using certs. This provides additional security above basic password authentication.…
read more...