Wednesday 11 October 2017

IBM HTTP Server - Checking Personal Certificates

Whilst on the subject of IBM HTTP Server (IHS), as per an earlier post: -


I was "auditing" the SSL certificate that I'm using for IHS, specifically the signature algorithm.

So I have a single certificate in the key store: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com


which I validated as follows: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd -label wlpn.uk.ibm.com

Label : wlpn.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 7554efe3937a2315
Issuer : CN=wlpn.uk.ibm.com
Subject : CN=wlpn.uk.ibm.com
Not Before : 25 June 2017 15:02:51 GMT+01:00

Not After : 26 June 2018 15:02:51 GMT+01:00

Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
    00 EA EC 62 79 EE 41 BA 7D CF F1 CD 6E 3E D9 5D
    3E C8 CD F0 3F 04 BA 0E CD EC EA 82 F9 49 74 E6
    9B D4 EB FE B1 8F D0 94 41 F6 33 56 4F 3C AE 3D
    A7 2D 4C 5D 97 19 2A 73 1E 46 11 60 3A 55 37 D1
    BA DD 59 CF 1B 6D 81 B7 F1 DC E5 AB 5B 72 6B A8
    6D D2 C8 8C DF 52 B2 46 90 99 10 93 3B 61 40 46
    94 BF 8B 4B 2E D6 E1 25 78 4E 2F C4 D2 B9 BB A6
    1B DE F2 19 6F 52 0B A7 9B 59 B7 46 65 47 B3 03
    BA B0 DF C7 DA 21 99 CF 4D 82 26 86 89 59 8A 76
    D8 80 21 77 87 95 87 F4 8A 6F C9 2E EF 5B 77 A9
    64 A5 6E 13 16 33 7C 76 7D AC D4 18 FD D7 7A 51
    67 B8 28 D7 32 B2 FA 29 AD 94 9A D6 CD 21 8A 06
    99 3F 38 7A 3E 67 13 6E C2 E9 3D 00 5D 91 74 10
    28 DB 47 56 61 32 BB F3 52 45 0D 0E 4D 30 24 E2
    E0 EC EB 77 13 B8 E5 0D 7D BF BF 1F B7 0A E6 EE
    33 63 C9 AD 3F 44 88 75 AD BC 4A CD 40 85 77 D8
    B7 02 03 01 00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    B8 2D BE 82 C8 B7 FF 72 96 10 65 6F 95 09 B4 01
    9B 88 09 C2
Fingerprint : MD5 : 
    65 43 24 27 76 17 2B 11 3B E1 03 FD E4 C8 AC 41
Fingerprint : SHA256 : 
    7F 07 93 14 FE 81 8E 7E 67 16 67 79 0C 68 E4 88
    DB B6 59 2D 62 2D 3B 2B 1B CF 34 EF F6 BD 8B D9
Extensions
    SubjectKeyIdentifier
      keyIdentifier:
    8F CD C5 00 09 45 B6 C5 71 6F B0 92 73 86 23 47
    38 3E A1 82
    AuthorityKeyIdentifier
      keyIdentifier:
    8F CD C5 00 09 45 B6 C5 71 6F B0 92 73 86 23 47
    38 3E A1 82
      authorityIdentifier:
      authorityCertSerialNumber:
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
    86 8C 52 F3 92 95 4C 8E C9 A3 E1 46 53 AE 3C 34
    86 FE A7 9D E7 C5 60 E5 C5 99 E5 05 BA FC 03 43
    ED 5D EA C5 15 57 73 73 4C DE 99 A6 A2 89 03 CA
    B4 8B 1C 5B B1 1C 7C 40 B3 EC 4E 18 2B 16 96 15
    9B C0 8E E6 10 FC A3 B6 5A 32 15 B0 B9 AA B4 D8
    C6 48 9E A8 79 24 82 9F 77 44 D4 99 F5 01 AE C2
    84 52 3C 93 32 4C CE 9D 75 7F 7D BD 60 D8 7F E7
    48 12 F2 2C EF 79 76 F6 ED 86 73 00 BE A0 95 B5
    A3 01 6D 0F DD 9A 2C 14 C7 1C B1 79 86 0C E8 71
    22 92 25 5A 8A F5 79 82 9F 05 5A 61 F2 3D 1D 7F
    F2 07 C6 07 A0 21 D4 74 16 F2 F1 96 A0 D6 8C F7
    8E A6 85 BF BC 1E 1C DA DC 09 91 BA 5B A4 00 04
    A9 5E 06 BB 46 78 10 EA 8D 13 5A BE 49 47 FD 7C
    E5 C5 5F 33 76 48 2A CA EB 57 93 2A 73 D8 D2 47
    B4 7A A6 35 5A D7 B6 C6 E5 99 F6 34 81 CD BA BE
    B2 CE C3 9C EF B6 88 62 B5 1C 48 4B 73 6B 48 B9
Trust Status : Enabled


Notice that this has a SHA1 signature algorithm ( SigAlg ), which is potentially less secure than SHA2: -



I also used OpenSSL to check / validate the SigAlg: -

openssl s_client -connect localhost:8443 </dev/null|openssl x509 -text -noout

depth=0 CN = wlpn.uk.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = wlpn.uk.ibm.com
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8454646161192133397 (0x7554efe3937a2315)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=wlpn.uk.ibm.com
        Validity
            Not Before: Jun 25 14:02:51 2017 GMT
            Not After : Jun 26 14:02:51 2018 GMT
        Subject: CN=wlpn.uk.ibm.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ea:ec:62:79:ee:41:ba:7d:cf:f1:cd:6e:3e:d9:
                    5d:3e:c8:cd:f0:3f:04:ba:0e:cd:ec:ea:82:f9:49:
                    74:e6:9b:d4:eb:fe:b1:8f:d0:94:41:f6:33:56:4f:
                    3c:ae:3d:a7:2d:4c:5d:97:19:2a:73:1e:46:11:60:
                    3a:55:37:d1:ba:dd:59:cf:1b:6d:81:b7:f1:dc:e5:
                    ab:5b:72:6b:a8:6d:d2:c8:8c:df:52:b2:46:90:99:
                    10:93:3b:61:40:46:94:bf:8b:4b:2e:d6:e1:25:78:
                    4e:2f:c4:d2:b9:bb:a6:1b:de:f2:19:6f:52:0b:a7:
                    9b:59:b7:46:65:47:b3:03:ba:b0:df:c7:da:21:99:
                    cf:4d:82:26:86:89:59:8a:76:d8:80:21:77:87:95:
                    87:f4:8a:6f:c9:2e:ef:5b:77:a9:64:a5:6e:13:16:
                    33:7c:76:7d:ac:d4:18:fd:d7:7a:51:67:b8:28:d7:
                    32:b2:fa:29:ad:94:9a:d6:cd:21:8a:06:99:3f:38:
                    7a:3e:67:13:6e:c2:e9:3d:00:5d:91:74:10:28:db:
                    47:56:61:32:bb:f3:52:45:0d:0e:4d:30:24:e2:e0:
                    ec:eb:77:13:b8:e5:0d:7d:bf:bf:1f:b7:0a:e6:ee:
                    33:63:c9:ad:3f:44:88:75:ad:bc:4a:cd:40:85:77:
                    d8:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                8F:CD:C5:00:09:45:B6:C5:71:6F:B0:92:73:86:23:47:38:3E:A1:82
            X509v3 Authority Key Identifier: 
                keyid:8F:CD:C5:00:09:45:B6:C5:71:6F:B0:92:73:86:23:47:38:3E:A1:82

    Signature Algorithm: sha1WithRSAEncryption
         86:8c:52:f3:92:95:4c:8e:c9:a3:e1:46:53:ae:3c:34:86:fe:
         a7:9d:e7:c5:60:e5:c5:99:e5:05:ba:fc:03:43:ed:5d:ea:c5:
         15:57:73:73:4c:de:99:a6:a2:89:03:ca:b4:8b:1c:5b:b1:1c:
         7c:40:b3:ec:4e:18:2b:16:96:15:9b:c0:8e:e6:10:fc:a3:b6:
         5a:32:15:b0:b9:aa:b4:d8:c6:48:9e:a8:79:24:82:9f:77:44:
         d4:99:f5:01:ae:c2:84:52:3c:93:32:4c:ce:9d:75:7f:7d:bd:
         60:d8:7f:e7:48:12:f2:2c:ef:79:76:f6:ed:86:73:00:be:a0:
         95:b5:a3:01:6d:0f:dd:9a:2c:14:c7:1c:b1:79:86:0c:e8:71:
         22:92:25:5a:8a:f5:79:82:9f:05:5a:61:f2:3d:1d:7f:f2:07:
         c6:07:a0:21:d4:74:16:f2:f1:96:a0:d6:8c:f7:8e:a6:85:bf:
         bc:1e:1c:da:dc:09:91:ba:5b:a4:00:04:a9:5e:06:bb:46:78:
         10:ea:8d:13:5a:be:49:47:fd:7c:e5:c5:5f:33:76:48:2a:ca:
         eb:57:93:2a:73:d8:d2:47:b4:7a:a6:35:5a:d7:b6:c6:e5:99:
         f6:34:81:cd:ba:be:b2:ce:c3:9c:ef:b6:88:62:b5:1c:48:4b:
         73:6b:48:b9

Therefore, I wanted to delete and re-issue the self-signed certificate, using a stronger SHA2 SigAlg.

This is what I did: -

Stop IHS

/opt/IBM/HTTPServer/bin/apachectl -k stop -f /opt/IBM/HTTPServer/APIC/conf/httpd.conf

Delete the Self-Signed Certificate

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -delete -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd -label wlpn.uk.ibm.com

Create a new Self-Signed Certificate

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd -sigalg SHA256WithRSA -size 2048 -dn cn=wlpn.uk.ibm.com -san_dnsname wlpn.uk.ibm.com -label wlpn.uk.ibm.com -default_cert yes

- Note that I also included the -san_dnsname parameter to set the Subject Alternate Name (SAN) field - this is to "reassure" Google Chrome that warns against certificates where this field is not set

Validate

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
*- wlpn.uk.ibm.com

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb -pw passw0rd -label wlpn.uk.ibm.com

Label : wlpn.uk.ibm.com
Key Size : 2048
Version : X509 V3
Serial : 7412b8d9509046ab
Issuer : CN=wlpn.uk.ibm.com
Subject : CN=wlpn.uk.ibm.com
Not Before : 10 October 2017 15:42:21 GMT+01:00

Not After : 11 October 2018 15:42:21 GMT+01:00

Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
    00 E5 F9 C0 51 4E 56 A3 49 F3 25 29 6C AC 14 12
    F8 9E 6B 4C CE 1B 01 48 A8 63 A3 23 0C CB 4F 31
    8F 1A 57 A1 53 3B 74 1D DF E7 76 2D BA 5C C5 A5
    8D 8F BA C5 8E FC 92 82 89 EE 52 8B F4 B4 47 08
    EE B4 A3 13 3D 73 B8 6D 1E AC 42 A1 E0 DE DB 4C
    65 95 2A EE 9A A8 16 0B FA 49 09 54 28 79 04 7C
    F1 59 62 A3 FA 2B 22 C3 AE 9C 10 73 B6 32 56 27
    36 95 39 2E 9A 6E CD DF EE E2 B6 68 0B D5 D5 59
    BB A3 F4 40 74 22 AA 94 5F 1A 8B D5 15 76 DA 40
    6B C9 F1 13 3B CC B9 FE FA 96 47 C1 D9 BF 91 70
    FF D8 C4 8D 21 ED FC A1 CC 29 84 41 6A 2C 3B 5C
    DF 27 9E 31 84 8F 11 FD FB 81 64 18 8C 46 7E 77
    1A B0 5F 0A 71 B5 B0 7F 80 7D A7 A6 21 94 E5 00
    43 D1 49 1D 36 9F 08 04 4D 36 C0 AE A1 33 27 9D
    6A 3A 3E 20 E8 80 A6 DB 10 2D D5 51 9A FC 69 54
    EE 73 1A 99 17 3E C3 2B 59 CA 30 B5 D4 C4 02 5B
    19 02 03 01 00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 : 
    C1 DB 70 CF 32 11 96 30 1E 19 62 99 2E B5 C5 A7
    1C B3 6F 3B
Fingerprint : MD5 : 
    CA 9F 04 DA B7 D3 83 31 69 E0 6D 3F C0 6D B2 E8
Fingerprint : SHA256 : 
    75 0D 28 2D FF 87 C8 0B F5 4A 06 31 21 C7 FE 54
    1D 66 E5 26 6C 7B 4C 53 22 1E 98 D8 F8 92 AD 33
Extensions
    subjectAlternativeName
        dNSName: wlpn.uk.ibm.com
    SubjectKeyIdentifier
      keyIdentifier:
    ED 81 80 61 1F 56 F1 B5 97 F2 43 F3 2E 7E A0 CD
    7E 23 F6 92
    AuthorityKeyIdentifier
      keyIdentifier:
    ED 81 80 61 1F 56 F1 B5 97 F2 43 F3 2E 7E A0 CD
    7E 23 F6 92
      authorityIdentifier:
      authorityCertSerialNumber:
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)
Value
    9B D4 A5 AF DD 3E 29 5D C5 11 81 08 40 3D FF 4B
    1F 1E FA A7 E5 0F C2 9C 95 0A B2 5A F7 B8 29 4E
    3E 3C 85 12 61 3E BB 64 B7 2F 9C 10 AB D3 B6 0C
    B6 56 5C 33 FB 13 A0 CF 3E C3 07 FA 39 66 57 E1
    EE 19 1B 45 F8 DA FE C6 31 F7 57 E9 4B C4 04 69
    8C 9A DE AD CE 88 FF 3D C0 A3 0D 08 3E 21 65 70
    25 2F 68 ED 0D 72 D7 D8 3E 2A C3 D1 61 D7 B2 4C
    75 B4 B2 B1 8D 17 9B E1 D8 F9 C6 05 F3 0E 98 F4
    5A 7C 22 3E 14 C1 68 EE 07 55 DD FF 3F 8E A6 F4
    DE 20 AC B5 E4 59 36 C0 C8 5B 5D 0B A3 4C 5F 63
    5D DC 30 F6 42 30 24 A0 B2 96 A7 BB C8 EB 9D 59
    63 C6 2A 66 E3 B5 D0 56 89 B5 18 F5 8D 3E D9 D1
    1E ED 1A 6E E7 BC C7 71 52 4A 92 C6 A1 64 14 D1
    72 59 F9 9F F2 7F CE 86 03 AF EC 28 74 DC CB D9
    F0 D8 4A 06 13 BC 02 F7 05 7C F2 EF B1 B0 6E 87
    A5 21 7C 7C 75 89 A3 03 CC C5 89 C8 1D C6 76 15
Trust Status : Enabled

Start IHS

/opt/IBM/HTTPServer/bin/apachectl -k start -f /opt/IBM/HTTPServer/APIC/conf/httpd.conf

Validate using OpenSSL

openssl s_client -connect localhost:8443 </dev/null|openssl x509 -text -noout

depth=0 CN = wlpn.uk.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = wlpn.uk.ibm.com
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8363950701479478955 (0x7412b8d9509046ab)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=wlpn.uk.ibm.com
        Validity
            Not Before: Oct 10 14:42:21 2017 GMT
            Not After : Oct 11 14:42:21 2018 GMT
        Subject: CN=wlpn.uk.ibm.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e5:f9:c0:51:4e:56:a3:49:f3:25:29:6c:ac:14:
                    12:f8:9e:6b:4c:ce:1b:01:48:a8:63:a3:23:0c:cb:
                    4f:31:8f:1a:57:a1:53:3b:74:1d:df:e7:76:2d:ba:
                    5c:c5:a5:8d:8f:ba:c5:8e:fc:92:82:89:ee:52:8b:
                    f4:b4:47:08:ee:b4:a3:13:3d:73:b8:6d:1e:ac:42:
                    a1:e0:de:db:4c:65:95:2a:ee:9a:a8:16:0b:fa:49:
                    09:54:28:79:04:7c:f1:59:62:a3:fa:2b:22:c3:ae:
                    9c:10:73:b6:32:56:27:36:95:39:2e:9a:6e:cd:df:
                    ee:e2:b6:68:0b:d5:d5:59:bb:a3:f4:40:74:22:aa:
                    94:5f:1a:8b:d5:15:76:da:40:6b:c9:f1:13:3b:cc:
                    b9:fe:fa:96:47:c1:d9:bf:91:70:ff:d8:c4:8d:21:
                    ed:fc:a1:cc:29:84:41:6a:2c:3b:5c:df:27:9e:31:
                    84:8f:11:fd:fb:81:64:18:8c:46:7e:77:1a:b0:5f:
                    0a:71:b5:b0:7f:80:7d:a7:a6:21:94:e5:00:43:d1:
                    49:1d:36:9f:08:04:4d:36:c0:ae:a1:33:27:9d:6a:
                    3a:3e:20:e8:80:a6:db:10:2d:d5:51:9a:fc:69:54:
                    ee:73:1a:99:17:3e:c3:2b:59:ca:30:b5:d4:c4:02:
                    5b:19
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:wlpn.uk.ibm.com

            X509v3 Subject Key Identifier: 
                ED:81:80:61:1F:56:F1:B5:97:F2:43:F3:2E:7E:A0:CD:7E:23:F6:92
            X509v3 Authority Key Identifier: 
                keyid:ED:81:80:61:1F:56:F1:B5:97:F2:43:F3:2E:7E:A0:CD:7E:23:F6:92

    Signature Algorithm: sha256WithRSAEncryption
         9b:d4:a5:af:dd:3e:29:5d:c5:11:81:08:40:3d:ff:4b:1f:1e:
         fa:a7:e5:0f:c2:9c:95:0a:b2:5a:f7:b8:29:4e:3e:3c:85:12:
         61:3e:bb:64:b7:2f:9c:10:ab:d3:b6:0c:b6:56:5c:33:fb:13:
         a0:cf:3e:c3:07:fa:39:66:57:e1:ee:19:1b:45:f8:da:fe:c6:
         31:f7:57:e9:4b:c4:04:69:8c:9a:de:ad:ce:88:ff:3d:c0:a3:
         0d:08:3e:21:65:70:25:2f:68:ed:0d:72:d7:d8:3e:2a:c3:d1:
         61:d7:b2:4c:75:b4:b2:b1:8d:17:9b:e1:d8:f9:c6:05:f3:0e:
         98:f4:5a:7c:22:3e:14:c1:68:ee:07:55:dd:ff:3f:8e:a6:f4:
         de:20:ac:b5:e4:59:36:c0:c8:5b:5d:0b:a3:4c:5f:63:5d:dc:
         30:f6:42:30:24:a0:b2:96:a7:bb:c8:eb:9d:59:63:c6:2a:66:
         e3:b5:d0:56:89:b5:18:f5:8d:3e:d9:d1:1e:ed:1a:6e:e7:bc:
         c7:71:52:4a:92:c6:a1:64:14:d1:72:59:f9:9f:f2:7f:ce:86:
         03:af:ec:28:74:dc:cb:d9:f0:d8:4a:06:13:bc:02:f7:05:7c:
         f2:ef:b1:b0:6e:87:a5:21:7c:7c:75:89:a3:03:cc:c5:89:c8:
         1d:c6:76:15

Of course, this won't satisfy some of our more fussy browsers/extensions - SSLSleuth in Firefox only gives us 5.3 out of 10: -


One can mitigate this by reducing the number of ciphers presented by IHS, and restricting it to use ciphers that offer Perfect Forward Secrecy (PFS), as follows: -

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 8443
<VirtualHost *:8443>
   SSLProtocolEnable TLSv12
   SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
   SSLCipherSpec ALL NONE
   SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

   SSLEnable
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb
SSLCacheErrorLog /opt/IBM/HTTPServer/APIC/logs/sidd_log
SSLCachePortFilename /opt/IBM/HTTPServer/APIC/logs/siddport
ScriptSock APIC/logs/cgisock
SSLDisable


After a restart, SSLSleuth now gives us a reasonable 9 out of 10: -


and Google Chrome is moderately happy: -


It's major objection, hence the This page is not secure (broken HTTPS) message, is that we're using a self-signed certificate :-(

Final thought - I've mentioned this before, but will mention it again - one can dump out the IHS SSL configuration, and get an summary of what we have: -

/opt/IBM/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG -f /opt/IBM/HTTPServer/APIC/conf/httpd.conf

SSL configuration:
Default server
Server name: wlpn.uk.ibm.com:0
SSL enabled: NO

SSL server defined at: /opt/IBM/HTTPServer/APIC/conf/httpd.conf:147
Server name: wlpn.uk.ibm.com:8443
SSL enabled: YES
FIPS enabled: 0
Keyfile: /opt/IBM/HTTPServer/APIC/ssl/keystore.kdb
Protocols enabled: TLSv12
Ciphers for SSLV2: (protocol disabled)
Ciphers for SSLV3: (protocol disabled)
Ciphers for TLSv10: (protocol disabled)
Ciphers for TLSv11: (protocol disabled)
Ciphers for TLSv12: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(C02F),TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(C030)

Syntax OK

Job done!


No comments:

Visual Studio Code - Wow 🙀

Why did I not know that I can merely hit [cmd] [p]  to bring up a search box allowing me to search my project e.g. a repo cloned from GitHub...