gnutls

SSL-enabled name-based virtual hosts with mod_gnutls

This article describes how to setup SSL-enabled name-based virtual hosts — that is secure virtual hosts which share the same IP address and port — with SNI-capable mod_gnutls module for Apache’s httpd server.

Server Name Indication (SNI) is a TLS extension which makes the configuration of SSL-enabled name-based virtual hosts possible. The current version of OpenSSL — 0.98 at the time of writing — does not support SNI yet, but it is planned for the upcoming 0.99 release and there are already several patches out there to add SNI capabilities to 0.98. mod_gnutls is an experimental module for Apache’s httpd which includes support for SNI.

This setup has been performed on a server that runs on Debian/Lenny and uses no self-compiled programs/packages.

Installation:

In order to use mod_gnutls you need to install it from the repository of course, simply invoke:

yourserver:~# apt-get update
yourserver:~# apt-get install libapache2-mod-gnutls

Then you need to enable mod_gnutls and disable mod_ssl:

yourserver:~# a2enmod gnutls
yourserver:~# a2dismod ssl

Setup GnuTLS:

Now it is time to get rid off mod_ssl and its configuration directives like SSLEngine, SSLCertificateFile and so on in each of your virtual host definitions. Instead we will add the mod_gnutls directives here:

GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /etc/apache2/ssl/apache.crt
GnuTLSCertificateKey /etc/apache2/ssl/apache.key

It is a good practise to check the server configuration after each changed virtual host. You can simply do this by invoking the following command:

yourserver:~# apache2ctl configtest
Syntax OK

If you see an error instead of the ‘Syntax OK’ message, you should carefully check the changes you made. Usually most errors are caused by typos.

Finalization:

Once you have been done with adjusting and checking your virtual hosts you are ready to reload the configuration of your webserver:

yourserver:~# /etc/init.d/apache2 reload

Conclusion:

With mod_gnutls, the server supports the SNI TLS extension. The virtual hosts are name-based, no matter which one you visit, the relevant certificate for each virtual host is used.

Even tough mod_gnutls works pretty well, it is still in experimental state. Therefore, performance issues should be considered as normal (but could not determine any so far).

Another important point to mention regards to SNI support in web browsers. Currently only these browsers have built-in support for SNI:

  • Mozilla Firefox 2.0 or higher
  • Opera 8.0 or higher
  • Internet Explorer 7.0 or higher
  • Safari 3.0 or higher, but not on WinXP
  • Google Chrome, but not on WinXP
Уязвимости в OpenSSL, GnuTLS, Chrome, FFmpeg, GNU inetutils, Apache Geronimo и Apache Struts

Несколько недавно найденных уязвимостей: В корректирующих выпусках библиотеки с реализацией протоколов SSL/TLS - OpenSSL 0.9.8s и 1.0.0f устранено 6 уязвимостей, среди которых: … Читать далее…

This GnuTLS bug is worse than the big Apple “goto fail” bug patched last week.

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

[…] The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification," an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

Linux users beware – critical GnuTLS bug found

A new critical GnuTLS bug has been recently discovered and has quickly got patched after security specialists were made aware of the seriousness of the bug, which allowed malicious servers to hijack users of the GnuTLS cryptographic library. Nikos Mavrogiannopoulos, a Red Hat engineer, issued a patch last Saturday, a week after the bug was […]

via SecurEncrypt http://ift.tt/1kZeifL

Another serious GnuTLS exposes Linux clients to server attacks

Another serious GnuTLS exposes Linux clients to server attacks

Another serious GnuTLS exposes Linux clients to server attacks
Linux PCs running Ubuntu, Debian, and RedHat and an unknown number of applications are at risk again after researchers discovered a critical flaw in the GnuTLS secure communications library.
Read more on ZDNet

View On WordPress

Post @ 1337 Tech News

New Post has been published on http://www.1337technews.com/mobile-malware-gameover-cryptolocker-and-ssltls-holes-60-sec-security-video/

Mobile malware, Gameover, CryptoLocker, and SSL/TLS holes – 60 Sec Security [VIDEO]

How long has mobile malware been around? Is it really game over for Gameover and CryptoLocker? Which cryptographic security libraries need patching? It’ll only take a minute to find out…

New Post has been published on Dave "The IT Guy"

New Post has been published on http://www.dtig.net/gnutls-has-a-flaw-fix-already-available/

GnuTLS has a flaw - Fix already available

 For those of you who use GnuTLS, which is the open source SSL/TLS crypto library, this information is for you. A bug (CVE-2014-3466) was discovered by Joonas Kuorilehto of security firm Codenomiconthat proves that the method used to parse the session ID during a TLS handshake is at risk of being exploited for remote code execution.  Codenomicon is the same firm that discovered the Heartbleed vulnerability as well.

The Official Radware Blog wrote a great review and proof of the vulnerability as we as the GnuTLS  people having already issued a bug fix here. 

Уязвимости в Chrome, ClamAV, Asterisk, GnuTLS, libzip, InspIRCd, Quagga, Gnash и LibreOffice

Несколько недавно найденных уязвимостей: Компания Google представила корректирующий выпуск web-браузера Chrome 17.0.963.83, в котором устранено 9 уязвимостей, из которых 6 помечены … Читать далее…

Linux users beware – critical GnuTLS bug found

Linux users beware – critical GnuTLS bug found

A new critical GnuTLS bug has been recently discovered and has quickly got patched after security specialists were made aware of the seriousness of the bug, which allowed malicious servers to hijack users of the GnuTLS cryptographic library.

Nikos Mavrogiannopoulos, a Red Hat engineer, issued a patchlast Saturday, a week after the bug was reported by Joonas Kuorilehto, a Codenomicon researcher…

View On WordPress

Kaspersky Lab alerta para bug de validação de encriptação no GnuTLS

Kaspersky Lab alerta para bug de validação de encriptação no GnuTLS

A Kaspersky Lab revelou que na semana passada um bug afectou o GnuTLS, um software livre e de código aberto utilizado para implementar cifragem em várias distribuições do Linux e outras plataformas.

Para a Kaspersky Lab, este bug de validação de encriptação no GnuTLS significa que todos os produtos desktop e de servidor da Red Hat, assim como todas as instalações do Debian e Ubuntu (Linux) contêm…

View On WordPress