Tag Archives: SSL

Sep 13 2010

Tunnelling LDAP using stunnel

Lightweight Directory Access Protocol – a protocol used to access information stored in an information directory (also known as an LDAP directory)

LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently. For example, your company could store all of the following very efficiently in an LDAP directory:

* The company employee phone book and organizational chart
* External customer contact information
* Infrastructure services information, including NIS maps, email aliases, and so on
* Configuration information for distributed software packages

Most of the companies are already using the LDAP Protocols to manage their corporate directory services. But it was implemented earlier or without secured way. That is, the data are transferred in plain text format. So, Anyone can view the content of the querys and other things..

Although, LDAP supports SSL. They are not ready to touch the already working LDAP Server. So, a Second level service(Tunnelling) is introduced to provide the security to the LDAP Server.

Every request is sent through the tunnel and the tunnelling software acts as proxy to the LDAP server.

Request :

Client ——> Tunnelling Proxy(SSL Enabled Connection)

Tunnelling Proxy ——————> Server (SSL Not Enbabled Connection)

Response :

Server ————–> Tunnelling Proxy (SSL Not Enabled Connection)

Tunnelling Proxy ————-> Client (SSL Enable Connection)

Stunnel is the tool used to tunnelling the data from the server to client and acts as the proxy to the LDAP..

Its easy to stunnel to make to run, just edit the /etc/stunnel/stunnel.conf file

cert = /etc/stunnel/stunnel.pem
sslVersion = SSLv3
pid = /var/run/stunnel/stunnel.pid
foreground=yes
CAfile = /etc/stunnel/ca.cer
debug = 7
client = no
; service-level configuration
[ldaps]
accept = 636
connect = ldapserver:389

On the LDAP Client, you need to configure it with corresponding to the stunnel and LDAP Server Configuration.

If you find any errors in certificates, just make it to ignore the CA and Server certificates by adding the following line to /etc/openldap/ldap.conf

TLS_REQCERT never

Sep 6 2010

Threat to Internet

When we are working in internet, we are aware of that there some possibility where someone can steal our data even without our knowledge. To improve the security and to make the data unreadable we find the encryption and decryption algorithms. To make the web more secure, we use the SSL/TLS Protocols.

This protocols secures our data from the attackers and based on certificates. Mostly the attacker targets the client rather than server by using fake server certificates. This certificates are generally controlled by the Certificate Authority(CA).

Early only few CA (like Verisign, Equifax, and Thawte) are have the control over the SSL Certificates. But today, it grows to many number and usage of SSL certificates are also increased rapidly.

By default, the web browsers support many CA. For example, Firefox supports nearly 60 CA’s and IE supports more than 100 CA’s.

We think, that the security lies in the private key and certificates that we have in our server. But its not the true, the real security lies in the CA level.

When CA’s started to support the attackers, everything should be compromised. But we don’t have the control over the CA and we are not able to find this type of compromises also..

For Example, Cybertrust (a division of Verizon) issued SSL CA certificate to Etisalat on the 19th of December, 2005. Etisalat (CA) issues Certificates to the users and the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.

Now Ethisalat is supported in many browsers by default and there are some possibility that the entire web security is compromised.

Aug 28 2010

Web Security – SSL/TLS

SSL (Secure sockets layer) was its original name when it was built by Netscape. SSL was renamed TLS when the standard was taken over by the IETF and the version number was reset to one. So SSL version 2 (which is now obsolete) came before SSL version 3. But SSL v3 was followed by TLS v1.0. The current version, at the time of writing, is TLS v1.2.

In January this year (2010), Gmail switched to using HTTPS for everything by default.

Modern hardware can perform 1500 handshakes/second/core. That’s assuming that the handshakes involve a 1024-bit RSA private operation (make sure to use 64-bit software).

Refer : http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

SSL/TLS – Cryptographic protocols provides security for communication..

Two way of secured communication

Unilateral – Server only authenticated

Bilateral – Both Server and Clients are authenticated

CipherSuite – Its a combination of Crypto-algorithms & used in SSL/TLS.

CipherSuite consist of four parts,
1) Key Exchange
2) Authentication
3) Encryption/Decryption and
4) Digest or Integrity

Different set of algorithms are used based on their level of security and efficiency.

The OpenSSL v1.0 supports the following set of algorithms

DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ADH-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ADH-AES128-SHA:ADH-SEED-SHA:ADH-CAMELLIA128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC2-CBC-MD5:PSK-AES128-CBC-SHA:ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5

You can view these things, by using the following command :
openssl ciphers ALL

For Example : DHE-RSA-AES256-SHA

Here,

DHE – Diffie Hellman Algorithm in Ephemeral mode used for Key Exchange

RSA – used for Authentication

AES256 – used for Encryption

SHA – used for Digest