How to check if you are vulnerable for the DROWN attack (CVE-2016-0800).

CVE-2016-0800, also known as the DROWN attack, is an attack against servers that still support the old SSLv2 protocol. The only reason a server would still offer to use SSLv2 would be for possible compatibility reasons with 20-year-old PCs ( -> there is no reason to use or offer SSLv2 any more). From a configuration side you can disable the v2 protocol by adding  -SSLv2 to the list of protocols being used. Where and how you configure this depends on the software, but using all -SSLv2 -SSLv3 is fine with most modern servers and clients, Mozilla has a fantastic overview for configuring SSL and TLS. If you want to check a bunch of your hosts […]

Continue reading

Renewing “Let’s Encrypt” SSL certificates

Let’s Encrypt provides free DV SSL certificates for everyone and is now in the open beta phase. I’m not going to go into the details of which of the clients are best, since that depends entirely on your use case (I use acme-tiny and a rule in varnish to intercept all calls to /.well-known/acme-challenge/). Since the certificates are only valid for 90 days, I often see people suggesting to just renew them via cronjob every 2 months. I find this to be really awful advice, if that renewal fails for any reasons (network problems, local problems, problems with let’s encrypt) the next renewal is a month after the certificate expired. It is also […]

Continue reading

Weekly Update

Nicht wundern wenn ich nun hin und wieder auf deutsch poste. Ich will nur ein wenig Abwechselung hineinbringen. Sodele, was gibt es nun neues diese Woche? Ich habe für die Domain dopefish.de die automatische Weiterleitung auf https herausgenommen, da Firefox 3 so gerne motzt wenn Domains selbst signierte Zertifikate benutzen (leider auch die einzige Möglichkeit kostenlose Zertifikate zu erstellen). Natürlich funktioniert weiterhin https, nur eben jetzt ohne Zwang. Wer Firefox 3 einsetzt, soll mal “about:robots” oben eingeben. Die Entwickler haben wohl in eine langweilige Minute was lustiges eingebaut. Technisch hat sich gar nichts getan, ich war die Woche zu oft nicht daheim, um irgendwas besonderes am Server zu basteln. Dafür […]

Continue reading