Ubuntu: Testing authenticated SMTP over TLS/SSL

SMTP mail relays exposed to the internet typically use a combination of SSL and authenticated SMTP to avoid abuse by malicious actors.

This is an excellent choice from a security perspective, but makes smoke testing a bit more complex than just opening telnet.

Continue reading “Ubuntu: Testing authenticated SMTP over TLS/SSL”

PingIdentity: Disabling SSLv3 and weak ciphers for PingFederate

The PingFederate server provides best-in-class Identity Management and SSO.  However, due to US laws governing export of cryptography, the default SSL protocols and cipher suites need to be configured to harden the solution.

Below are the steps involved with making these post-installation changes.

Continue reading “PingIdentity: Disabling SSLv3 and weak ciphers for PingFederate”

OpenSSL: Using OpenSSL to enumerate protocols and ciphers in use by web applications

While enabling HTTPS is a important step in securing your web application, it is critical that you also take steps to disable legacy protocols and low strength ciphers that can circumvent the very security you are attempting to implement.

As long as you have the latest version of openssl then you should be able to use a bash script like below (credit for this script goes here) to enumerate every matching protocol and cipher that a server is exposing:

Continue reading “OpenSSL: Using OpenSSL to enumerate protocols and ciphers in use by web applications”

OpenWrt: Enabling HTTPS for the LuCI Web Admin Interface

openwrt_logoBy default, LuCI, the web admin interface for OpenWrt is not HTTPS enabled.  This may not be a critical issue for you since it is a LAN facing service, but the type of infrastructure information being exchanged combined with the fact that it is usually accessed over WiFi protocols might make you want to consider it – especially considering it is a 5 minute fix.

First connect to OpenWrt either via ssh with Dropbear, or via the USB-TTL cable and a terminal program.  Install the following packages:

# opkg update
# opkg install luci-lib-px5g px5g-standalone libustream-openssl
# opkg install luci

Continue reading “OpenWrt: Enabling HTTPS for the LuCI Web Admin Interface”