Secure Buffalo Linkstation LS-WXL WebAccess with Let's Encrypt - lets-encrypt

Hi,
I've a Buffalo Linkstation LS-WXL and want to secure my the WebAccess with a SSL certificate of Let's Encrypt.
I've already found the pre-installed openssl program in the directory /usr/local/ssl/bin and created an Let's Encrypt certificate with the help of openssl and https://gethttpsforfree.com, but here's my problem: I don't know how I should create the certificate files out of these three created bolocks and my domain.key file. Further I don't know where I should embed this files on the nas.
My WebAccess Settings:
WebAccess-Service -> enabled
HTTPS/SSL-encryption -> disabled
Use BuffaloNAS.com -> disabled
DNS-Hostname -> xxx.xxx.xx
Configure firewall (UPnP) automatically -> disabled
External port -> 9000
Internal port -> 9000
Exclusive session -> disabled
Session expiry time (in min.) -> unlimited
WebAccess-URL -> https://xxx.xxx.xx:9000
Can someone help me with my problem?
Linkstation LS-WXL
1.75

Related

Smart card logon in Windows in domain FreeIPA

I create domain with FreeIPA.
I connected Windows 10 to it. Login to Windows by login-password is successful.
I create a profile in the FreeIPA settings to create certificates for Smart Card Login in Windows.
auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=Enroll user certificates with smartcardlogon.
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=(UID|CN)=.*
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=FREEIPA.RED, DC=FREEIPA, DC=RED, E=$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.12.default.name=IECUserRoles Extension Default
policyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.freeipa.red/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=true
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4,1.3.6.1.4.1.311.20.2.2,1.3.6.1.5.2.3.5
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.freeipa.red/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.13.default.name=Subject Alt Name Constraint
policyset.serverCertSet.13.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.13.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.13.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.13.default.params.subjAltExtType_1=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_1=true
set.serverCertSet.13.default.params.subjAltExtType_2=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_2=(UTF8String)1.3.6.1.5.2.2,$request.req_subject_name.cn$#FREEIPA.RED
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_2=true
policyset.serverCertSet.13.default.params.subjAltNameNumGNs=3
policyset.serverCertSet.14.constraint.class_id=noConstraintImpl
policyset.serverCertSet.14.constraint.name=No Constraint
policyset.serverCertSet.14.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.14.default.name=Copy Common Name to Subject Alternative Name
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13,14
profileId=SmartCardLogon
visible=false
Created a key and a certificate request via openssl:
#openssl genrsa -out test.pem 2048
#openssl req -new -out test.req -key test.pem
Issued a certificate to the user via FreeIPA.
I collected the key and certificate into a pfx container and imported this container to a smart card.
Winlogon return error:
The remote procedure call failed
In System Event log Windows:
The security package Kerberos generated an exception. The exception information is the data.
Tell me, maybe someone has faced a similar problem?
Just to make clear: what you are trying to achieve is not supported by FreeIPA. You cannot join Windows systems to FreeIPA because FreeIPA itself is not an Active Directory. While simple things might appear working (password-based logon, for example), the rest is not and will not be working. FreeIPA is not designed to be an Active Directory domain controller. You can use Samba AD for that purpose.

javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]

I upgraded DataGrip to 2021.1.2, and now when I run any query I get this response
javax.net.ssl.SSLHandshakeException: The server selected protocol
version TLS10 is not accepted by client preferences [TLS13, TLS12]
How to resolve this?
if you are trying to connect Microsoft Sql server the use the drive
Microsoft SQL Server (jTds)
note : Click on the driver option
you need to do the following:
1:
create a new file (any where) with the name custom.java.security
2:
put the following content in the file
jdk.tls.disabledAlgorithms=SSLv3, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
3 :
open DataGrip -> in your database panel -> select the database you want -> right click -> select Properties -> go to the Advanced tab
4 : in the VM Options field write the following
-Djava.security.properties=${PATH_TO_FILE}/custom.java.security
you need to replace ${PATH_TO_FILE} with the folder path of the file that you created in step 1
don't forget to have \\ instead of one \ in path if you use windows
5 : goto File menu -> select Invalidate Caches... -> click Invalidate And Restart
Credit : https://youtrack.jetbrains.com/issue/DBE-13313
The other suggestions did not work for my IntelliJ.
What did the trick for me (while connecting to a MySQL Aurora db) was picking/downloading the "MySQL for 5.1" drivers instead of the default MySQL drivers that IntelliJ selected for me.
No need to create a file as the accepted answer.
When the error prompts, just open "Data Sources and Drivers":
The original text in "VM options":
"-Djdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves"
So just remove TLSv1, TLSv1.1 then apply and reconnect, it will work.
Try adding TLSv1.1,TLSv1.2,TLSv1.3 to the enabledTLSProtocols setting in the Advanced tab like this:
DataGrip Project Preferences
Updating the TLS Protocol on server side should be preferred though.
Find the java.security file on your computer and edit it with any text editor, for example Notepad ++
Find the text jdk.tls.disabledAlgorithms, remove the TLS 1.1 and TLS 1.2 protocols and save the file with the changes

Add certificate to certdata.txt and build firefox with them

I have to add some certificates to firefox before building it. Then test it with this certificates. I know that certificates are hardcoded into the certdata.txt, in this location:
mozilla-source\mozilla-central\security\nss\lib\ckfw\builtins
I've tried to add certificates into the certdata.txt using addbuilit from nss-tools. But after building it I get errors.
Compiler shows this errors when reading certdata.txt:
0:49.23 c:/mozilla-source/mozilla-central/obj-x86_64-pc-mingw32/security/nss/lib/ckfw/builtins/builtins_nssckbi/certdata.c(20983,1): warning: missing terminating '"' character [-Winvalid-pp-token]
0:49.23 "\152\270\202\165\004\122\100\146\207\136\301\151\270\325\275\134
Actually it's pretty easy to do.
Firstly you need a nss and nspr, because of nss that is built in to mozilla installer does not have addbuiltin function that we need.
Download NSS for windows
Download Nspr for windows
Second step
unpack both of these files.
Then copy the contents of the NSPR /lib folder to the NSS /bin folder
Copy your certificate and certutil.txt to the NSS /bin folder.
Note: Your certificate should be in .der format!
Third step
Run this code bellow:
addbuiltin -n "My certificate name" -t "CT,C,C" < CAcert.der >> certdata.txt
My certificate name - The name of the certificate that will be added to the certutil.txt.
CT,C,C - Is the trusted properties of the certificate.
CAcert.der - Certificate itself.
certdata.txt - Certificates containing file.
But before copying certutil.txt back to the source code you have to do one more thing.
Open certutil.txt in Notepad++ and turn on hidden characters by Menu View → Show Symbol → Show All Characters. Then change /r/n to /n.
And you've done!

macOS kext with invalid signature

We have a kext-enabled Developer ID which we are using for code signing and I have verified that the certificate contains the 1.2.840.113635.100.6.1.18 extension required. However, kextutil -tn still shows:
Untrusted kexts are not allowed
Kext with invalid signature (-67050) denied: /Library/StagedExtensions/Library/Extensions/A0587A5A-52FC-46DC-832E-81919195902C.kext
After signing, I re-extracted the signature using 'codesign -d --extract-certificates' to verify that the correct kext-enabled Developer ID certificate was indeed used during the signing process.
I have "Apple Worldwide Developer Relations Certification Authority" and "Developer ID Certification Authority" certs in both the login and System keychains.
Any suggestions on where to go from here? Thanks!
I've figured it out. Turns out macOS 10.13+ denies kexts by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note (and alluded to in the comments above):
https://developer.apple.com/library/archive/technotes/tn2459/_index.html
The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.
$ csrutil status
System Integrity Protection status: enabled.
$ sudo kextutil -v /Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext
Defaulting to kernel file '/System/Library/Kernels/kernel'
/Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext appears to be loadable (not including linkage for on-disk libraries).
Loading /Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext.
/Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext successfully loaded (or already loaded).
$ kextstat | grep xxxxxx
161 0 0xffffff7f83af6000 0x3c9000 0x3c9000 com.xxxxxx.driver.zzzz (1) 230E04D6-5C15-373F-8F73-E23566AE3C22 <22 15 5 4 3 1>

Wireless 802.1x : configure tls, peap and ttls out of the box with FreeRadius 3.0.8 on a Mac Yosemite

I'm looking for a quick easy way to bring up my testbed. No need to worry about default settings because this is just for testing. I just need to get 802.1x working on 3 modes PEAP, TTLS and TLS on my MacBookPro. My set up is quite simple with a Airport 11ac and a Mac Mini on Yosemite 10.10.3 that i will use to install FreeRadius. The client is a MacbookPro that i will be authenticated against the network. Thanks.
Here is what i've got from :
http://wiki.freeradius.org/building/Build
and
kb.meraki.com/knowledge_base/freeradius-configure-freeradius-to-work-with-eap-tls-authentication
1) Install talloc and FreeRadius
curl -LO www.samba.org/ftp/talloc/talloc-2.1.0.tar.gz
tar zxvf talloc-2.1.0.tar.gz
cd talloc-2.1.0
./configure --without-gettext
make
sudo make install
cd ../
curl -LO ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.8.tar.gz
tar zxvf freeradius-server-3.0.8.tar.gz
cd freeradius-server-3.0.8
./configure --enable-developer
make
sudo make install
NOTE: while installing free radius, notice that toward the end, bootstrap is being called. That's when your certificate is being generated.
2) Edit /usr/local/etc/raddb/users with:
user Cleartext-Password := "whatever"
Reply-Message := "whatever"
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
3) Edit /usr/local/etc/raddb/mods-enabled/eap:
default_eap_type = md5 change to default_eap_type = tls
private_key_file = ${certdir}/server.pem change to server.key
4) Edit clients.conf with your Airport Extreme's ip
client ExtremeAnger {
ipaddr = 192.168.5.1
secret = wireless
}
5) Start FreeRadius on MacMini with
sudo /usr/local/sbin/radiusd -X
6) Copy ca.der and client.p12 to MacBookPro
7) Go to MacBookPro and install Apple Configuration app from the App Store
8) Under 'Supervise' menu, click the plus + sign , create new profile
a. Fill out General tab with the name of the cert,
b. go to WiFi tab, enter ssid and security type (tls),
c. go to Identity Certificate and load the client.p12 file,
d. go to Certificates tab and load the ca.der file
e. go back to WiFi tab, Trust menu, check box the Example Certificate Authority that appears after you are done with step d.
9) Save and go back to main menu of the Apple Configuration, click the export arrow button and SaveAs a profile, you will get abc.mobileconfig file
10) Double click on this profile on the MacBookPro and try to authenticate to your Airport Extreme's 802.1x network ssid.
11) Pray that it will work on first try, if not , read the logs that comes out on the screen of your MacMini's Radius -X window
12) Create another profile for PEAP and TTLS from Apple Configurator App.
Make sure you use the username bob and pw hello as configured above (if you haven't figured it out yet, username 'user' and pw 'whatever' is used for tls mode)
Thanks for reading

Resources