SSL – Linux Hint

How to Setup Free SSL Certificate for Apache on Debian 10

Ivan Vanney — Tue, 31 Dec 2019 08:52:23 +0000

TLS and SSL protocols encrypt the traffic between a website (or other service) and a visitor or web browser preventing sniffers or attackers from accessing the communication. Lately Google demanded all webmasters to use SSL, even for websites without sensitive information exchange turning this protocol in a must independently of the security need.

This tutorial focuses on installing a SSL Certificate on an Apache web server under Linux Debian 10 Buster fast and simple using Certbot. For users who need an encrypted web server but haven’t installed or configured Apache yet, the first section shows how to install and configure Apache on Debian 10 Buster to host a website.

All steps described in this tutorial are useful for recent previous versions of Debian and based Linux distributions. If you have Apache already you can jump to How to Setup Free SSL Certificate for Apache on Debian 10 Buster.

Installing Apache on Debian 10 Buster

This step is only for users who didn’t install Apache yet, if you already have Apache installed jump to the chapter “How to Setup Free SSL Certificate for Apache on Debian 10”.
If you have not Apache installed, install it by executing:

# apt install apache2 -y

Once installed the service will automatically start and you’ll be able to access your web server from your browser through the address http://127.0.0.1 (localhost).

Apache supports multiple domains too, but for this setup we will only configure the domain https://linux.bz using the default configuration file for apache /etc/apache2/sites-enabled/000-default.conf. Run:

# nano /etc/apache2/sites-enabled/000-default.conf

The uncommented lines below show a proper configuration adapted for linux.bz,

The file contains the following content opening the file (), the server name, alias, contact information, root directory, logging files information and closing file ().

80>
ServerName linux.bz
ServerAlias www.linux.bz
ServerAdmin contact@linux.bz
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

You can rename Apache’s default index page by running:

# mv index.html oldindex.html

Then create a new page for testing purposes:

# nano test.html

Put inside any content you want:

Press CTRL+X to save and exit.

In order to allow access from outside the network, some home users will need to configure their routers to forward necessary ports to their web servers. The following image only shows an example of router configuration page for port forwarding, in your router you’ll need to forward ports 80 and 443 to your Apache computer local IP address.

Finally you will be able to access your website from outside your network.

How to Setup Free SSL Certificate for Apache on Debian 10 Buster

If you already have Apache its time to add SSL, for this purpose this tutorial shows how to install a SSL certificate in a fast and simple way using certbot, an automatic installer and configurer for Let’s Encrypt ssl certificates.

To begin install Certbot packages by running:

# apt install certbot python-certbot-apache -y

Once installed the previous packages create and instruct a redirection to https by running:

# certbot --apache

Fill the requested information:

At some point it will offer you to redirect traffic to https, press 2 to accept, then press ENTER to finish.

If the process success you’ll see the following screen:

Finally you can test your website, press CTRL+F5 and it will redirect through SSL now.

To renew the certificate run:

# certbot renew --dry-run

Conclusion on Certbot method to install a SSL certificate for Apache on Debian 10 Buster

Certbot makes installing SSL certificates extremely easy and fast allowing any inexperienced user without Plesk or Cpanel to share web content in a secure way for free. The whole process took minutes including the Apache installation.

Other free options to get free SSL certificates may include SSL for Free (https://sslforfree.com, the short Comodo free SSL licences or Zerossl which I didn’t try yet, but none of them means a fast and easy method like this one.

I hope you found this brief article on How to Setup Free Certificate for Apache on Debian 10 useful, thank you for reading it.

TLS vs SSL

Admin — Sat, 09 Dec 2017 03:00:38 +0000

TLS and SSL Explained

Introduction to Public Key Cryptography

Before we go into details, we should review some key concepts that are crucial to understanding the subject. Both Transport Layer Security (TLS) and Secure Socket Layer (SSL) take advantage of public (asymmetric) key cryptography for establishing a secure communication channel.

While conventional symmetric cryptography has been around since at least ancient Egypt, public key cryptography has been discovered in the 1970s. It utilizes a pair of keys. If you encrypt something with one key, for all practical purposes, it can only be decrypted with the other. Discussing why this is the case would involve math that is well outside the scope of this article.

What is the Difference Between TLS and SSL?

Both TLS and SSL use public key cryptography to share a more conventional, symmetric key (choice of multiple cipher types is available) between two hosts. This process is called the handshake. The shared key is then used to encrypt the subsequent communication. So, what is the difference?

TLS 1.0 was introduced in 1999 as the successor to SSL 3.0. Some people think of it as SSL 4.0, and it is a very reasonable way to look at it. The SSL is technically proprietary to Netscape and TLS is an Internet Engineering Task Force standard, hence the difference in name — to avoid potential legal issues. You can check this article for more details.

From a more technical perspective, TLS performs the handshake slightly differently from SSL. The connection starts as “insecure” and is then later “upgraded” with STARTTLS command. The name of the command is somewhat misleading as it can be used to start TLS and SSL connections. Please see this for more details.

The idea behind it was to allow upgrading to secure communication via normally insecure application ports. This way an application only has to listen on one port instead of two. It turned out to be impractical as a lot of client applications would send user credentials in plain text before the server could even tell them: “plaintext is not supported”. The request would fail, of course, but the credentials would already be compromised.

Why is TLS more secure than SSL?

Computer security is an arms race. SSL 3.0 has been declared obsolete in 2015 because it has unfixable security vulnerabilities. To be fair, TLS 1.0 is not much of an improvement as the attacker can force the client application to downgrade to SSL 3.0 by interrupting the handshake. TLS 1.1+ addresses this particular issue.

The main reason why SSL 3.0 is simply not secure anymore is, largely, because it does not support ciphers strong enough to counter increases in the computational (and sometimes legal) power that is available to the attackers. It is simply obsolete. On top of that, it does not use the ciphers that it does support as well as it should. For example, it does not have a mechanism to check padding contents when using block ciphers and the infamous POODLE (among others) attack exploits this.

What measures to take?

This thread gives a really good overview of the measures you can take. Let’s summarize them briefly here.

From the client perspective, it is relatively simple. All modern (such as Firefox 27+) web browsers support TLS 1.2, so making sure that your browser is up to date is a good start. In fact, most of them will warn you if the website has outdated TLS among other things. So, if you visit a website and your browser tells you that there is a problem with connection security, do take it seriously.

On the server end, you should consider displaying a warning to your customers if they are using an outdated security protocol. Assuming you are using Apache you can do something like this:

SSLOptions +StdEnvVars
RequestHeader set X-SSL-Protocol %{SSL_PROTOCOL}s
RequestHeader set X-SSL-Cipher %{SSL_CIPHER}s

Then, in case of PHP for example, you can access those values using $_SERVER inside your code. If you detect an older TLS version you can say something along the lines of “Starting 30 June 2018 we will no longer be supporting TLS 1.0, as per PCI Security Standards Council mandate. Please upgrade your web browser”. By the way, the council has been founded by the major credit card companies and any eCommerce business that is operating in the US needs to comply with their security standards.

It is worth mentioning that there are free third party tools you can use to scan for SSL/TLS vulnerabilities and even generate configuration for your server. The Mozilla SSL Configuration Generator tool basically generates TLS configuration appropriate for your server all you need to do is make some choices.

The SSL Server Test by Qualys SSL Labs allows you to enter the hostname and click “Submit”. It will run a plethora of tests against you server and will inform you of vulnerabilities… if any.

Secure Internet Is Everyone’s Responsibility

Using adequate encryption for your digital communication has never been as important as it is today. Keep calm and use open source. Good luck.

Bibliography

History of Cryptography, Wikipedia
Public-key Cryptography, Wikipedia
SSL vs TLS vs STARTTLS, FastMail Help & Support
SamuelChristie, Explanation of How to Detect TLS 1.0 Connections And, by Way of Custom Headers, Warn the User about the Coming Change to More Modern TLS Versions
Transport Layer Security, Wikipedia

Draftsight 2017 SP1 Critical Hotfix released to address SSL Issue

Admin — Fri, 17 Mar 2017 16:25:18 +0000

Draftsight 2017 SP1 critical hotfix released. As we know, draftSight is a professional 2D design and drafting software that lets you create, edit, view as well as markup any kind of 2D drawing. It has a familiar user interface and a minimal learning curve that facilitates an easy transition from your current CAD application.

Critical Hotfix

It has come to the attention of the DraftSight team that, due to an expired certificate, Windows* 32 & 64-bit versions of DraftSight released from 2012 to 2017 will not launch and/or will stop running as of March 1, 2017. However, we are making available a critical hotfix to resolve this issue before that date.

Key Features

Ease of use accessing rendering tools (lighting tools, texture mapping, as well as custom material creation, etc.)
Ability to modify 3D primitives (parametric editing tools, free-form editing tools, symmetrical editing process, etc.)
Ease of use accessing basic drawing tools (line, circle, polygons, etc.)
Ease of use accessing basic editing tools (erase, trim, extend, undo, etc.)
Export to file (.jpg, .pdf, .png, as well as svg.)
Save as .jpeg, .pdf, .png, .sld, .svg, .tif, as well as .stl file formats
Support for Windows, Mac as well as Linux operating systems
Multi-language character set support including Unicode fonts
Support for multiple user interface customizations. Can store and recall interfaces as required by a specific user without closing the application as well as without the need for scripting knowledge.
Ability to create custom scripts to automate tasks, such as add standard layers or styles to a drawing, update the title block, or automate plotting tasks.

How to Install Draftsight 2017 SP1 3D Software on Ubuntu 17.04, Ubuntu 16.10, Ubuntu 16.04, Ubuntu 15.04, Ubuntu 14.04

sudo apt-get install gdebi

wget http://dl-ak.solidworks.com/nonsecure/draftsight/2017SP01/draftSight.deb

sudo gdebi draftSight.deb

How to remove Draftsight 2017 from Ubuntu

sudo apt-get remove draftSight.deb