Symantec leaves the ssl market

mafia run the british red cross

Symantec i read have sold there ssl interests after fucking up ssl (tls) certs with the green bars.  Quite how these security geniuses ended upon such a state is noteworthy but probably leaves many of you with bad unverified certificates rom them and there brands that will stop working.

This has happened before (my blog) so size is no guarantee of administration.  Oddly these are the same people complain bitterly about others and not there own behaviour in the past.

I do not have any Symantec brands of tls but i do not want any of there products in the zoo.

It feels like money trumps integrity.   Most of us do tls once and never have to worry about it it for a year or so but Symantec have other plans for you.

CS Academics who can’t run an email server

nugura.cs.usyd.edu.au tried to send the zoo something alas there a bit shit a mail servers.  Lets take a look….

smtpd[*]: NOQUEUE: reject: RCPT from nugura.cs.usyd.edu.au[129.78.110.124]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<caa_verification@nugura.cs.usyd.edu.au> to=<abuse@zoo> proto=SMTP helo=<nugura>

Oh well it would have been interesting to see (my blog) that.but i am not that bothered.

the amusing antics of the ssl mafia

mafia run the british red cross

Bananas was reading this (not here) when the whole concept of paid tls seems like a make work scheme.

For the record the zoo has ssl, dnssec and other things but our cents for tls are the cheap ones (dv), – we also have one lets-encrypt doing something boring.

For ov and ev certs even the cert providers fail the validation test Symantec has been issuing then without these checks.  No i am not making that up these are supposed to be trust worthy oh well as long as money is handed over the mafia do not really care.

I have no problem with tls except the way it is procured and set up – for instance how many sites with ssl/tls have caa records, or tlsa.

If you have tls certs and have no fucking clue what a caa is (not regulation of aircraft) then your a problem here too.

So the ssl mafia has been complaining and while i am ok with tls1.3 i do wonder if i will still need my zoo email to handle tls1.0 because some retard at our energy company has not even heard of tls 1.2.

Other shit things the ssl mafia have come up with include hkpk and the ideas continue with httpev: because https is er could mean anything apparently.

The link is an informative read about the perception of things and the desperation of the ssl mafia to differentiate and not follow there own rules while whining about things.

As the browser makers seem not inclined to do the extended bidding of the ssl mafia and people think what they think i am certainly not inclined to buy ev certs, for instance who would the average smart phone user know that the ev certified site they visited is genuine ?

These are valid concerns but the reaction of the ssl mafia is as usual screwed up.  These goodfellas are great are they not?

caa records the hardish way

Sisyphus is still a role model

Sisyphus is still a role model

Caa* records are a bit rare and unless you run a very new dns server version many of these records will be tossed out as too new since it is either not supported either by the name server or dnssec wrapper.

To do caa records in an ‘older’ server i had to use rfc 3597 syntax which does look like voodoo compared to normal dns records its not the kind of thing the bbc think is not worth reporting on (my blog).  It is some kind of machine readable format of which i have not delved in to but looks a bit like atps.

mafia run the british red cross

the ssl mafia

Not all ca’s (not a typo) support caa for since when i write this gandi don’t, but letsencrypt do so if your shopping for tls its another limiter.

So two zoo domains do have caa records from two suppliers. But two do not. As many dns things like tlsa (my blog) are not checked by browsers i doubt they will be doing caa checks anytime soon.

So I will keep the two records i have and see how maintainable they are. Stay tuned for updates!

It will be doubtful the zoo will purchase gandi ssl (tls) again

*nothing to do with aircraft

the unscheduled lets encrypt renewal by 21 days

are-you-serious-wtf-meme-baby-faceLets encrypt is a free tls thing and a bit of a game for me to do email in tls i had to make a web site just to get the bloody tls that assumedly lasts three months and then i have to redo my tlsa records for dane.

I wrote down the date but 21 days early it got renewed all on its own, i only know this since i got an email about this fucked up renewal as the tlsa recrds where wrong.  How the fuck did 90 days become 69.  That’s with the zoo doing some pruning of lets encrypt cron jobs and me not knowing precisely what calls the update in debian (not me).

I renewed my tlsa records (my blog) but its process to call for updates and inform you is something i have to figure out and that’s even looking at the logs in /var/log/letsencrypt which is a joy to read due to stack traces.

Grr

 

Letsencrypt finally figured out (meh)

leOne afternoon i was bored on a bank holiday and decided to go figure out letsencrypt of which my previous attempt left much to be desired (my blog).

The domain was using self signed certs for email and i had no www, and being slightly drunk certainly made it a game of it after all this has got to work somehow.

This is from debian backports, i guess i might end compiling everything if compiled from source. Since i use debian lets try and keep it the debian way.

I had to do some www config work, listening on 80 and 443 in apache, i also did some dns redirect diversions a day earlier

gets worse

gets worse

Nit pick – the man page for certbot really sucks in formatting you have to be in FULL SCREEN mode or other the formatting is shit. I smell a gnome developer.

With my config i then experimented until i hit the right command to use with apache since i have a host that does more than just one website which is where crappy website hosting will assume that you only have only one.

I used

certbot certonly –webroot -w /var/www/<host>/ -d <host>

Which picked up the config rather than assume i have only one ip address.

Anyhow i eventually got a working certificate (nice not to get a useless www. is a plus point) after some apache config work and restarts but guessing where the certs where was the next issue – a google discovered the /etc/letsencrypt/live/<host>/*.pem was the ticket.  Never trusted or knew about the automatic apache config mode of which i have no idea if that is for the 2.2 or 2.4 release.

Reconfiguring apache could be big job for me if it fucks up as we host more than one website here in the zoo on one computer.   I really do not trust certbot to configure things and i like to know how it works rather than some stuff i did not set up.

For dane (my blog)  i had to hash the cert.pem – i only really want it for that not apache, why i cant use email to approve this shit like paid certs do is beyond me, if they want a apache config i am willing to oblige it but this is me pushing the average user envelope.

Most people probably reading this probably cannot use tls in email – say gandi clients, or have dkim signed mail unless you buy a high end xen instance and configure it yourself.  tls encryption was a no in the cheapest gandi* offering when i looked.

Letsencrypt works in postfix too once you set cert,ca chain,and private key,  tlsa hashing was successful too a benefit of doing the apache ssl config.

These certs only last three months and so expect a lot of crap in /var./log/lersencrypt from python dumps which is easier said to trackdown what generates them even with cron jobs turned off although the renewal directory files appears to be adjusted by what i have no idea on.

I have now got to write a index html page and a404 explaining the reason for this bizarre oddity.  It’s a make work scheme although it will work the default index.html we all know and love..

Then your renewal – you have to setup a cron entry, in three months time i then have to hash cert.pem once again and change to dns records.

The cron scheduling may or may not be available with basic or average hosting.

I suppose it is better than self signed.

babymemeThis i suppose it not how your average website would usually get an tls cert but the monkey house is not constrained like you lot with one ip address, a virgin domain name and a strange version of dns,email and hosting.

Works here though setting hsts (my blog)  to three months is deemed ‘bad’ by some.

*gandi is a hosting firm not an indian

giving up on the mysteries of hpkp

Sisyphus is still a role model

Sisyphus is still a role model

I have written about hpkp (my blog) before but find it lacking in useable documentation, quite how you specify a backup cert in say apache i leave as a question to guru’s, buying a cert to not use it seems strange, and how that would affect caa records if say from another supplier is a  mystery it seems i will not bother to figure out for it is bollocks to common sense.  Could one be deemed a fake cert issue that gets the ca removed from say firefox is a problem i foresee if hpkp takes off.

I suppose it could be done but then if the hostname does not match your still going to get grief from firefox about host mismatch problems, forget self signing ssl.  Add the cost of ev certs in too, or the problem a cert with multiple addresses then you still have no backup hpkp.

I think hpkp is a retarded mans dnssec (which the zoo has) but hpkp  still has a cost with the backup certificate which i guess makes the ssl mafia happy financially and who cares if it gets used or not.  they do not.

As i am no hpkp guru, or feel the need to become one and ask the question why is it only for webservers say but not email too,other ports can be utilised too but you get my gripe.

So  i have commented it out of the apache config for if i cannot figure it out then i doubt many others can use it either.

Anyhow not my problem.

 

fun with postfix tls and user certs

hipsterSo you have a dane (my blog) compatible dnssec setup (my blog) running on all the mx’s in the domain list which entails at least two certificate authorities so what else can you do ?

Well being a bored ape one day i decide to test user certificates in postfix not simply three extra lines to enable tls support in postfix which requires more steps with some hairy eyeballs on the postfix tls support document.

danehttpsresultIt does work although its just mentioned in the headers. Reports can be semi informative

8 Anonymous: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 Untrusted: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

mafia run the british red crossThat is a self certified tls with ‘Untrusted’. Signed tls (eg bought) it seems impossible to issue client certificates like you can with self signed ssl. so it seems unlikely that i will ever get ‘Trusted’.   The setiing ‘Anonymous’ is dane tls in default.

Bloody mafia (my blog).

Self certified user certs are nice if a little extra mile and something that does need a mammal at a keyboard.  So it sort of explains why it is not popular although our friends at the nsa (my blog) probably helped.

No wonder user certificates (opposed to server instances) are missing from most postfix setups and even Google get untrusted status.

Received: from mail-*.google.com (unknown [ip])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified))
by mail2.zoo (Postfix) with ESMTPS id x

So dane will only get you so far.The mafia wont help either.

DSN’s are a handled oddly too. example

postfix/smtp[x]: xyz: to=<553@zoo>, relay=zoo[ip.addr]:25, delay=x, delays=1018/0.01/0.09/0, dsn=4.7.5, status=deferred (Server certificate not verified)

which in postfix is classed as

4.7.5: Transient failure: Security/policy status: Cryptographic failure

letsencrypt fail

The zoo runs several websites off one piece of hardware and some of you lot probably will be amazed that it is possible (my blog) and it works.

However lets encrypt is a wreck behind the scenes even run as root i failed to get past this web hoster’s botched implementation certbot

Carol Beer little britain says computer said no

Carol Beer little britain says computer said no

Problems encountered — one registration per /etc monkey.com and banana.com need two accounts

I delete one , i get further than before then i need to create directories and when i run those commands (printf) the client still says no and when dealing muiltple ip addresses then some editing of the python syntax is needed

This

:/tmp/certbot/public_html# $(command -v python2 || command -v python2.7 || command -v python2.6) -c “import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer((”, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()”

Needs to become

:/tmp/certbot/public_html# $(command -v python2 || command -v python2.7 || command -v python2.6) -c “import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer((‘<ip address>’, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()”

However a dns redirect trumps this feature so its a real pain in the arse – all i wanted was tls website for an expired tls domain – no joy and for a postfix instance a certificate which seems to demand a website which i dont want.

I also deleted my 443 config (i did make a backup) but it strikes me as very much not ready for the real world. I decided to buy ssl instead.

Perhaps my tlsa records (my blog) upset the process but when certbot does computer says no when i wanted was something along the lines of a crt, pem chain which i could figure out the rest instead i get a boiler plate 443<monkey>.com apache template somewhere in /etc.

rocketletsencrypt is too restrictive and its configuration leaves much to be desired.  OK I was working this as an in place upgrade rather than a ‘virgin’ domain which never had ssl cert before which i could test* but its not rocket science tls but the process involved is horrid.

Peace.

*to do this i would create dns zones,change dns glue records,switch on an ipv4 address and add a www thing,delete the bad account data,and then a day later try again.  No thanks.

what contact will the tls provider use game.

guessI had to do an emergency ssl renewal recently* and while approving the first contact, the second is somewhat of a guess being the admin or tech contact.  I always seem to get to assume the wrong one, but some use one but not the other.

There pretty painless mostly if you have done it before and you get a guess who game as well.

*nobody informed me