Tag Archives: SSL

Ignoring SSL Certificate Errors On .NET Core On HttpClient

Written by William Roush on December 20, 2016 at 8:28 pm

Had a certificate expire at 8PM EST tonight on a critical project I was supposed to demo, wasn’t going to stop me… lots of articles don’t really go over how to do this now on .NET Core 1.0, so lets cover the code to do so:

using (var httpClientHandler = new HttpClientHandler())
{
   httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
   using (var client = new HttpClient(httpClientHandler))
   {
       // Make request here.
   }
}

Pretty simple, really.

100% Qualys SSL Test A+

Written by William Roush on April 1, 2014 at 10:41 pm
Obtaining 100/100/100/100 on Qualys SSL Server Test

Obtaining 100/100/100/100 on Qualys SSL Server Test

For fun we’re going to poke at what it takes to score 100 across the board with Qualys SSL Server Test — however impractical this configuration may actually be.

Qualys SSL Server Test… What Is It?

Qualys SSL Server Test is an awesome web based utility that will scan your website’s SSL/TLS configuration against Qualys best practices. It’ll run through the various SSL and TLS protocol versions, test all the cipher suites, and simulate negotiation with various browser/operating system setups. It’ll give you not only a good basis for understanding how secure your site’s SSL/TLS configuration is, but if it’s accessible to people on older devices (I’m looking at you Windows XP and older IE versions!).

Getting 100/100/100/100

Late at night I was poking at some discussions on TLS, and wondered what it really took to score 100 across the board (I’ve been deploying sites that scored 100/90/100/90), so I decided to play with my nginx configuration until I scored 100, no matter how impractical this would be.

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  # TLS 1.2 only.
  ssl_protocols TLSv1.2;

  # PFS, 256-bit only, drop bad ciphers.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}
Qualys wants only 256bit (or stronger) cipher suites.

Qualys wants only 256bit (or stronger) cipher suites.

This barely differs from our standard configuration (depending on if you chopse to mitigate BEAST instead of RC4 issues)

This barely differs from our standard configuration (depending on if you choose to mitigate BEAST instead of RC4 issues)

100/100/100/100 comes at a high price.

100/100/100/100 comes at a high price.

To get to having all 100s we drop pretty much all but the most modern browsers… oops!

100s Not Realistic

It seems you’ll want to aim for 100/90/100/90 with an A+. This configuration will give your users the ability to take advantage of newer features (such as Perfect Forward Secrecy and HTTP Strict Transport Security) and stronger cipher suites while not locking out older XP users, and without exposing your users to too many TLS vulnerabilities (when supporting XP, you have to choose between protecting against BEAST or use the theoretically compromised cipher RC4).

So we’ll want to go with something a little more sane:

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # PFS + strong ciphers + support for RC4-SHA for older systems.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:RC4-SHA:HIGH:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}

10/24/2014 Update: Removed SSLv3 due to POODLE exploit for A+ example.

Dan Kaminsky – Black Ops Of PKI

Written by William Roush on March 26, 2014 at 7:58 pm

Amazing talk by Dan Kaminsky discussing what is broken with X.509 (SSL). It’s an amazing dive into how X.509 works, various exploits, and the impeding problem of the Verisign MD2 root certificate that may be open to preimage attack sometime in the near future.