The other day I blogged about using LetsEncrypt with FreeNAS. There were another two things around the house that I wanted to have proper SSL certificates on: my Plex server and the Unifi Controller. The latter looks like far too much effort to go through, but I did get it up and running for Plex pretty quickly this morning. Since I also used the same CloudFlare-based API updates for DNS, this one ...
Read More
Last week my LetsEncrypt certificate expired on FreeNAS which effectively locked me out of my FreeNAS UI when using Chrome (my default browser). Thinking perhaps that I had forgotten something during my upgrade to FreeNAS 11.2 I set out to figure out what the problem was, only to realize two things: one, I hadn't setup a cronjob to renew and two, I didn't blog about it.
Usually I write blogs primarily for my benefit on ...
Read More
So it's been noted in a few places that 2017 is the year that SHA1 for HTTPS is doomed. Microsoft has deprecated SHA1 in Edge and Internet Explorer browsers and in February 2017 will be blocking them entirely. Google is doing the same thing with Chrome starting January 2017, as is Firefox.
Most sites today don't use SHA1-based SSL certificates (which is good) and there are sites you can go ...
Read More
Python 2.7.9 was released nearly a month ago and with it came some SSL-related changes (it backported the Python 3.4 ssl module and does HTTPS certificate validation using the system's certificate store). The latter can cause some problems with home-grown CA's, however. On Mac OS X, the CA certificate store is in the Keychain Access application which isn't exposed to commandline tools like Python. This will cause HTTPS certificate validation to ...
Read More
I've refrained from posting or saying anything about Heartbleed all week because I didn't want to add to any sensationalism and hype, and I've also been too busy actually dealing with it (as opposed to simply talking about it or running around with hands waving in the air like a mad man). Now that the dust has settled a bit, I just want to link to some sites that I think are good to ...
Read More
This week's mac techmail is Create your own SSL CA with the OS X Keychain. This talks about how you can use the Certificate Assistant on OS X, to create your own SSL Certificate Authority for a local network or internal organization. The tool is quite slick, if a little complicated for the uninitiated, but it does work quite well.
Read More
This week's mac techmail is Managing SSL Certificate Authorities on OS X which takes you through adding a CA to the OS X keychain to verify SSL certificates. This is mostly useful for internal networks that use their own CA and it (obviously) doesn't come bundled with any OS. This allows OS X to trust these SSL certificates as if they were signed by one of the expensive/big-wig SSL certificate authorities.
Read More
This week's TechMail is Configure Apache to support multiple SSL sites on a single IP address which talks about the new SNI (Server Name Indication) feature in Apache 2.2.12. This is a really welcome feature as previously if you wanted more than one SSL-secured site, you needed more than one IP address. Now you can have multiple SSL sites on a single IP address. While this isn't a universal thing yet ...
Read More
The Register has just put up an article entitled After Debian releases SSL patch, a world of hurt for security pros. On page 2, I'm quoted which is cool, but what isn't cool is that the two typos in the article happen in my "quotes". Strange thing is that it was a phone interview, but now I look like an illiterate.
Oh well.
Good that the Register and many other outfits are picking this ...
Read More
In light of the recent Debian debacle and to get the word out to more people, this week's Techmail is Find and fix weak OpenSSL/OpenSSH keys: Debian-based Linux vulnerability which more or less reiterates what happened with the Debian OpenSSL... fun... and points to the dowkd.pl script that can be used to test for weak keys.
Read More