Wednesday, October 15, 2014

Turning Off SSLv3 in Apache and IIS8, AKA Putting Down the Poodle That Bites

Poodle is a security vulnerability that has been found in SSLv3. Since SSL is over ten years old, and the only browsers that support it as the strongest version of encryption are IE6 and older, in my humble opinion it is safe to turn it off. 

Let's start with the easy one, Linux, in particular CentOS.
NB you will most likely need to be root or be part of the sudo group to make the following changes



1)     Open the ssl.config file with your favourite text editor.
In Red Hat based distributions like CentOS you should find it in
/etc/httpd/mods-available/ssl.conf

2)     Find the line starting with 
SSLProtocol

3)     Change it to 
SSLProtocol all -SSLv2 -SSLv3
This will allow all ciphers expect SSLv2 and SSLv3

4)     Save ssl.conf and exit your text editor

5)     Restart Apache by running the command
service httpd restart

6)     Use a tool like sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk
The list will be long so it might be worth redirecting the output to a file or piping the out into grep to return only the SSL ciphers
see step 14 of Windows for sample output



That's Linux done, now onto Windows and IIS8

To turn SSL support off for Windows you need to edit the registry. Doing this is fraught with danger, you can really mess up your Windows box if you do something wrong in the registry. Also you will need to reboot your server for the changes to take effect, not an iisreset an actual system reboot.
1)     Open regedit.exe

2)     Make a backup of your registry

3)     Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

4)     Backup this level of the registry

5)     Go into SSLv3, create a key/directory named "SSLv3" if it doesn't already exist

6)     Create a key/directory named "Client" if it doesn't already exist inside the SSLv3 key/directory

7)     Inside "Client" key/directory create or edit the dword value "DisabledByDefault" and set it to equal 1

8)     Create a key/directory named "Server" if it doesn't already exist inside the SSLv3 key/directory NB this should be at the same level as the "Client" key/directory

9)     Inside "Server" key/directory create or edit the dword value "Enabled" and set it to equal 0

10) Repeat steps 5 through 9 for SSLv2 it's the same process just replace SSLv3 key/directory with SSLv2 key/directory
you should have entries in your registry like the image below

11) Close regedit.exe

12) Reboot your server, this step is important your server will still accept SSL connection if you just do an iisreset

13) Download sslscan for Windows from https://code.google.com/p/sslscan-win/downloads/detail?name=SSLScan-1.8.2-win-r7.zip&can=2&q=

14) Run sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk


Example out from SSLScan is as follows
C:\Users\luke.mccarthy\Desktop\SslScan>SslScan my-side-projects.blogspot.co.uk
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server my-side-projects.blogspot.co.uk on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5

That's it you're all done, hope this helped.

Thursday, September 11, 2014

Change the Colour of Emacs Shell Prompt and Font Highlighting


The project I'm currently working on is Linux based, and I just can’t get my head around vi no matter how hard I try. Fortunately I have root privileges, so Emacs to the rescue :)

We are using CentOS so installing is as easy as

 sudo yum install emacs   

One of the many reasons I really like Emacs is you can run a shell inside Emacs.
Press Alt – x
Type shell
Press enter
NB the Alt key in Emacs is often called the Meta key and the key combination above would be shortened to M – x

This allows me to split the Emacs window and have the shell in the bottom half and what I working on in the top half, see the image below. To switch between the shell and what I’m working on I press M – O (that’s Alt and the letter O and not the number zero, Alt zero will unsplit the screen)


If like me you’re running Emacs inside Putty the first thing you might notice is the shell prompt is in dark blue on a black background. Not only is this very difficult to read but it can cause eye strain making for an unpleasant work day.

To change the colour of the shell prompt, and any font highlighting in Emacs is actually very easy if you know how. However the settings are a bit hidden, here is how to change the colours of any text in Emacs.

First you need to find out the supported colours for your version of Emacs. I’m using an old version and it doesn't support many colours, see the image below. Newer versions of Emacs support many more colours. To list the colours do the following.
Press M – x
Type list-colors-display
Press enter


Make a note of the easy to read colours. Then to change the colour of the shell prompt inside Emacs
Press M – x
Type list-faces-display
Press enter
This will display all the Font Highlighting options you can change, see the image below. On the left you will see underlined text of the name of the setting. On the right you will see the current colour settings.


Find the text comint-highlight-prompt and move the cursor directly over the top of it and press the enter key (sometimes the comint-highlight-prompt option doesn't show up, I don’t know why). This will take you into another screen, see the image below.  



  1. If the square brackets on the left of “Foreground” don’t have an X inside them like circle 1 in the image above, move the cursor in between the square brackets and press enter. This will enable the Foreground option
  2. Now move the cursor directly on top of the current colour of the foreground, circle 2 in the image above
  3. Press enter
  4. Type in the new colour you would like for the shell prompt, circle 3 in the image above. I chose green so I could feel like I was using a 1980s terminal :)
  5. Press enter 
  6. Move the cursor to the “Save for future sessions”, circle 4 in the image above 
  7. Press enter 
  8. Press Ctrl – x k to close the current screen / buffer. 
And you’re done :) The shell prompt will be what every colour you set it to.
While you are at it I would recommend changing at least minibuffer-prompt as well, you will be reading the text displayed in the minibuffer-prompt a lot. If you are feeling up to it change all the other text colours you find hard to read using the process above.

If all else fails add the following to your .emacs file

 (custom-set-faces  
  '(comint-highlight-prompt ((t (:foreground "green"))))  
  '(minibuffer-prompt ((t (:foreground "green"))))  
 )  

finally no matter which method you use to change the colour of the shell prompt in enacs, don't forget to back up your .emacs file. Recreating it takes far to long

Reference: http://lists.gnu.org/archive/html/help-gnu-emacs/2004-11/msg00170.html