Mittwoch, 29. Dezember 2010

Using SSL with virtual hosts

SSL with virtual hosts

The 1st important thing to know is that SSL does not work well with virtual hosts. If you host multiple domains on one server, you need to have a seperate public IP address for every domain which should support SSL.

Reconfiguring non-SSL Virtual Hosts

As mentioned above, every SSL-Domain needs its own IP Address. The 1st thing you need to change is your Nameserver to point each domain to its unique IP. Secondly, edit the existing VirtualHost entries of the respective domains to listen to new IP addresses only.

Example: You are running example.com, example1.com and example2.com on your server with IP 1.2.3.4. The configuration so far looks like this.

<VirtualHost 1.2.3.4:80>
ServerName example.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example1.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example2.com

</VirtualHost>

All virtualhosts using the same IP Address. Now you want to have example2.com to support SSL and you got an additional IP 1.2.3.10. You need to modify your nameserver to map example2.com to 1.2.3.10 and modify the existing configration to

<VirtualHost 1.2.3.4:80>
ServerName example.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example1.com

</VirtualHost>

<VirtualHost 1.2.3.10:80>
ServerName example2.com

</VirtualHost>

Configuring SSL Virtual Hosts

For the new SSL websites, I created a new site configuratino file in the apache sites-available directory which holds configuration for all SSL domains. I named it ssl-sites. Start the file with naming all IP-Addresses that should run a SSL supported domain. In our example, this is only 1.2.3.10

NameVirtualHost 1.2.3.10:443 # for example2.com

Then, the virtualhost definitions follows. You can just copy the virtualhost defintion for example2.com from your existing configu and modify it to listen to port 443.

<VirtualHost 1.2.3.10:443>
ServerName example2.com

</VirtualHost>

Additionally, you need to add the SSL configuration, especially to configure the certificates and key files.

<VirtualHost 1.2.3.10:443>
ServerName example2.com
# SSL DIrectives
SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem
...
</VirtualHost>

Enable the site

If you did it like I did, you need only to enable the new configuration file by

a2ensite ssl-sites
/etc/init.d/apache2 restart

Done! Now you can reach your domain via SSL

Using .NET SmartCard with TrueCrypt

This post is about the usage of the .NET SmartCard in Thunderbird. You might want to read Installing and configuring a .NET Smartcard first.

Consideration

It is possible to use the SmartCard with TrueCrypt, however, it does not provide the level of security it could be. This is because TrueCrypt is not able to use the certificats stored on the card. The strong security of the card is based on the fact that secret portion of the certificate cannot be read from the card and thus, cannot be copied. TrueCrypt can use only security tokens, which can be stored on the card. The token can be read and copied by any application that is provided with the PIN of the card.
Anyway, using the security token is typically much more safe than using a password.

 

Configuring the security device

Open truecrypt, go to Settings –> Security Tokens

image

Select the Gemalto PKCS#11 Library. Mine was located at
C:\Program Files (x86)\Gemalto\PKCS11 for .NET V2 smart cards\gtop11dotnet.dll

Set the checkmark for “Close token session (log out) after a volume is successfully mounted

Loading a token onto the card

Go to Settings –> Default Keyfiles

image

Press Generate Random Keyfile… and save the generated keyfile

image

Press Add Token Files… and add the generated keyfile to the card via Import Keyfile To Token…

image

Make sure you securely delete the generated keyfile from your harddisk now!

Done! Now you can use the keyfile on the SmartCard for container creation and for mounting the volumes.

Using a .NET SmartCard in Thunerbird for S/MIME Mail

This post is about the usage of the .NET SmartCard in Thunderbird. You might want to read Installing and configuring a .NET Smartcard first.

Go to Tools –> Options

image_thumb[42]

Press  Security Devices –> Load

image_thumb[43]

Browse for the PKCS#11 DLL file which is located at the following location on my PC
C:\Program Files (x86)\Gemalto\PKCS11 for .NET V2 smart cards\gtop11dotnet.dll

image_thumb[45]

Go back to the options-menu, now press “View Certificates”. Thunderbird now asks you for the SmartCard PIN and then shows the certificated contained on your card.

image_thumb[46]

That’s it! You can now use Thunderbird with S/MIME. When you write an email, just select Options –> Digitally Sign This Message”.
Once the receiver got your signed mail, he can reply with an encrypted mail.

image

Installing and configuring a .NET Smartcard

A SmartCard is very handy when it comes to security. It can
  • hold your S/MIME certificate for secure E-Mail communication
  • be used to sign in to your windows PC
  • hold security tokens for harddrive encryption
  • … much more

This post explains how to setup a Gemalto .NET SmartCard on your PC. You could use any SmartCard with PKCS11 support but this post covers the .NET card specifically.
Buy the equipement
The 1st thing you need is the SmartCard itself. I bought my “Gemalto .NET IM V2+” SmartCard at the CryptoShop for about 20€. 
Additionally, you need a card reader. Any Home-Banking cardreader will work just fine. If you don’t have any, just get one starting from 10€ from ebay or amazon. I got the SCR 3310 for my home PC and the OmniKey 4040 for my Laptop, both from ebay.
Install the windows drivers
For applications to access the card and it’s content, you need to have the so-called PKCS#11 library installed. It’s a DLL that can be loaded into various applications like Firefox, Thunderbird etc.
Download the .NET PKCS#11 Libraries for Windows OS from gemalto.com
Run the installer and walk through the wizard, there’s not much to select, you should end up with this window.
image
The setup created a folder in your program files which contains the PKCS#11 libaray. For me, it was located in
C:\Program Files (x86)\Gemalto\PKCS11 for .NET V2 smart cards
and looked something like this:
image

Import certificates to the smartcard
The SmartCard you received from the store is empty. You need to load a certificate onto it. Open the browser-based gemalto certificate manager with Firefox. The 1st time you do that, you need to install a Firefox add-on called SConnect. This is the interface to your SmartCard.
image
Restart Firefox
image
Insert your smartcard and e.nter the certificate manager again. When asked, allow the gemalto website to access your smartcard. You should now see the following screen
image
Press “Import P12 Cert” and select the certificate to import to the card. If you don't have a certificate yet, here's how to create one.
During import you’ll need the default PIN which is 0000
After the import is complete, you should change the PIN to something more secure.
Done! Your certificate is securely stored on the SmartCard. You should keep your certificate file on an external drive in a secure location. It’s just for backup purposes.

See my other posts to find out how to get a certificate and how to use the smartcard with your applications

Samstag, 16. Oktober 2010

Secure Surfing

When you're in a Hotel, using an unencrypted Wireless, this is pretty insecure. There are several VPN solutions to encrypt your traffic such as Comodo WIFI Security or OpenVPN. However, one problem remains: As soon as you're connected to the network, several programs start sending data - mostly signing in. This might happen before you connected your VPN Tunnel.

There is a simple solutino using Windows 7 Firewall. Configure your WIFI or untrusted LAN connection as "Public". Set the default setting for public connections to "Whitelist" mode (block everything unknowen). Define a rule which allows to connect the VPN only. Define your VPN adapter as trusted. Additionally, you need to create a rule to allow any traffic from your VPN IP Address. That's it! No surfing will be possible unless you're connected to your VPN tunnel.