CyberKeeda In Social Media
Showing posts with label OpenSSL. Show all posts
Showing posts with label OpenSSL. Show all posts

OpenSSL : Convert .pem into .crt

 



From .pem to .crt using openssl command.

Syntax Template

# openssl x509 -outform der -in your-cert.pem -out your-cert.crt

Read more ...

Docker SSL Error x509: certificate signed by unknown authority

 

x509: certificate signed by unknown authority

Above error is all about SSL/TLS handshake errors which is due to mismatch of root certificates, i have encountered this issue while running kubeadm command and later i found, issue exists with CURL and Docker Pull command too.

Thing to note : I'm using a PROXY server ( Zscaler ) , thus it's certificate must be imported within my linux base OS and thus into docker certificates too.

Curl Issue.

x509: certificate signed by unknown authority.

Fix :

Retrieve your own proxy certificate, mine is for zscaler hence using the below command and then refresh the trusts.

Syntax Template

# cp zscalar_root.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust

Docker Pull Issue.

x509: certificate signed by unknown authority.

Fix :

Retrieve your own proxy certificate, mine is for zscaler hence using the below command and then refresh the trusts

Syntax Template

# cp zscalar_root.crt /etc/docker/certs.d/tls/ && update-ca-trust


Now restart docker to reflect the changes within docker.

Restart docker
# systemctl restart docker



Read more ...

How to fix : OpenSSL Sweet 32 Birthday attack Vulnerability






Sweet32 Birthday attack, which affects the triple-DES cipher. OpenSSL has rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.”

The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.


Fix :

Verify the CIPHER status from below commands.

One can use openssl ciphers  command to see a list of available ciphers for OpenSSL




openssl ciphers

To check the status of DES and 3DES cipher below commands will help.

 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl2
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl3 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_2



Find your Open SSL  config file ( openssl.conf )   and locate     SSLCipherSuite

You might find a lot of ciphers written parallel along with SSLCipherSuite.

Just Add  ! before DES and 3DES to disable CIPHER successive with :

 ! -- It states don't use
 : -- It states a begining of CIPHER
It should look like below

SSLCipherSuite !3DES:!DES 

Save and close ssl config file and restart apache to reflect changes.

On Ubuntu/Debian

systemctl restart apache2

On RHEL/CentOS

systemctl restart httpd
Read more ...
Designed By Jackuna