SSL and Security Quality

[pir8radio 1292]

I found this site https://www.htbridge.com/websec/   it does a pretty thorough web server security test..   I was getting A+'s on regular SSL testing, and got an "F" on the above site lol...  So I fixed all of the issues except for SSL pinning (which I don't want to fix at the moment).  

 

I'm up to an A, @@Swynol would be proud!          I just like the challenge of these tests, thought I would share see how others with a reverse proxy were doing.  I know the hardware section is kind of a "show off your work" area.  

 

Edited May 9, 2017 by pir8radio

[shorty1483 450]

I found this site https://www.htbridge.com/websec/   it does a pretty thorough web server security test..   I was getting A+'s on regular SSL testing, and got an "F" on the above site lol...  So I fixed all of the issues except for SSL pinning (which I don't want to fix at the moment).  

 

I'm up to an A, @@Swynol would be proud!          I just like the challenge of these tests, thought I would share see how others with a reverse proxy were doing.  I know the hardware section is kind of a "show off your work" area.  

 

 

 

I stopped taking this test seriously when it told me that abandoning everything except TLS1.2 is a misconfiguration or weakness.

[pir8radio 1292]

I stopped taking this test seriously when it told me that abandoning everything except TLS1.2 is a misconfiguration or weakness.

Lol sorry I actually meant to tag you in that post shorty, I was trying to make you proud! Swynol sorry. Lol

 

Yes I understand most of these testing site seem to be pushing someone's agenda of the latest and greatest and only that...

Edited May 9, 2017 by pir8radio

[Swynol 375]

oh god i'm getting an F

 

are you testing your subdomains individually? i.e. did you get an A on your emby server?

Edited May 9, 2017 by Swynol

[Swynol 375]

damn you, now going to spend hours trying to get a better rating.....

 

 

STRICT-TRANSPORT-SECURITY - The header was not sent by the server.

 

PUBLIC-KEY-PINS - The header was not sent by the server

 

X-FRAME-OPTIONS - the header value is not consistent with Content-Security-Policy.

[Swynol 375]

adding these to all my location blocks

add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;

 

and adding this to my HTTP block

 

server_tokens off;

 

and adding a default server listening block to redirect HTTP to HTTPS rather than having each of my services handling their own redirect raised me from a F to a B-

 

## Defaut Listenning ##


server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

 return 301 https://$host$request_uri;
} 

 

 

now need to look at HSTS, that should raise me to an A

Edited May 9, 2017 by Swynol

[Swynol 375]

up to a B+ on all my services now....

 

havent done HTTP pinning yet. does anyone know if i do pinning, when my cert changes after 90 days (letsencrypt) do i have to change the pinning?

[shorty1483 450]

Lol sorry I actually meant to tag you in that post shorty, I was trying to make you proud! Swynol sorry. Lol

 

Yes I understand most of these testing site seem to be pushing someone's agenda of the latest and greatest and only that...

 

 

You're right. As a basic guideline the tests are still pretty good.

 

BTW: "A+"  ( @@Swynol ) for my public available Nextcloud and Router interface, an "A" for my usually LAN internal Emby server.

 

Edit: Sometimes I think we are the only 3 security analysts here

Edited May 9, 2017 by shorty1483

[shorty1483 450]

up to a B+ on all my services now....

 

havent done HTTP pinning yet. does anyone know if i do pinning, when my cert changes after 90 days (letsencrypt) do i have to change the pinning?

 

If you just renew the cert, the HTTP Public Key Pin remains the same. Additionally you need to define at least minimum one secondary/backup pin. In my conf I used 3 hashes. First the ones of my two site certs (RSA and ECDSA) and as third hash the intermediate from Let's Encrypt. The intermediate takes care of reaching the site if for some reasons you forget to renew your site certs.

add_header Public-Key-Pins 'pin-sha256="HASH_ECDSA"; pin-sha256="HASH_RSA"; pin-sha256="HASH_INTERMEDIATE"; max-age=5184000; includeSubDomains';

To get an A+, it seems you need to set avery strict Content-Security-Policy. I did not try it, but in Emby I guess you need to specify all external sources like github, google fonts etc for the different content types to have it working.

Edited May 9, 2017 by shorty1483

[Swynol 375]

i get a strange issue with the x-frame. 

 

any idea's on how i can improve this? this is my emby config

	##EMBY Server##
	
	server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://192.168.10.10:8096; 

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		add_header 'Referrer-Policy' 'no-referrer';

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		add_header Content-Security-Policy "frame-ancestors emby.mydomain.com;";
    }
	

}

[pir8radio 1292]

@@Swynol you are doing exactly what I did last night...  lol learning about all of this crap I never even thought about.

 

I do not have 'always' on any of my headers. Not sure why yours is unhappy....

[Swynol 375]

If you just renew the cert, the HTTP Public Key Pin remains the same. Additionally you need to define at least minimum one secondary/backup pin. In my conf I used 3 hashes. First the ones of my two site certs (RSA and ECDSA) and as third hash the intermediate from Let's Encrypt. The intermediate takes care of reaching the site if for some reasons you forget to renew your site certs.

add_header Public-Key-Pins 'pin-sha256="HASH_ECDSA"; pin-sha256="HASH_RSA"; pin-sha256="HASH_INTERMEDIATE"; max-age=5184000; includeSubDomains';

To get an A+, it seems you need to set avery strict Content-Security-Policy. I did not try it, but in Emby I guess you need to specify all external sources like github, google fonts etc for the different content types to have it working.

sorry for being think. i'm new to this stuff.

 

so i have my cert.pem which contains my cert and ca. i created a hash from it. so this is my intermediate. how do i get a ECDSA and RSA hashes?

[chef 3745]

I got an F

[Swynol 375]

@@Swynol you are doing exactly what I did last night...  lol learning about all of this crap I never even thought about.

 

I do not have 'always' on any of my headers. Not sure why yours is unhappy....

haha. ye i want that A grade...

 

removed always and made no difference.

[CBers 6766]

Sometimes I think we are the only 3 security analysts here

Cos you're the only ones that understands this sh1t

[Swynol 375]

i havent got a clue. i'm just copying and pasting what pir8radio and shorty tell me haha. 

 

its interesting stuff. there must be a huge number of websites out there open to attack because they "overlook" these types of security

[Guest asrequested]

Oh god! Now I'm gonna have to test mine, too lol

[pir8radio 1292]

Cos you're the only ones that understands this sh1t

 

 

i havent got a clue. i'm just copying and pasting what pir8radio and shorty tell me haha. 

 

its interesting stuff. there must be a huge number of websites out there open to attack because they "overlook" these types of security

 

 

Uhh.... I read it on the internet so it has to be true......  lol, like I said I just like the challenge of these "tests".  

[pir8radio 1292]

and you are absolutely correct, run that test on big websites, you will find most of them fail as well...   So, I dont know if that means the tests are BS or the internet is going to blow up.....

[Swynol 375]

this is another site i have been using. i prefer this one as it gives me a nice green A

 

https://securityheaders.io/

[CBers 6766]

So I assume you are using nginx as a reverse proxy with SSL certs?

 

Then you have Emby and other services configured in nginx?

[Swynol 375]

So I assume you are using nginx as a reverse proxy with SSL certs?

 

Then you have Emby and other services configured in nginx?

 

ye thats right, can be done with nginx or apache. 

[CBers 6766]

ye thats right, can be done with nginx or apache.

I remember using XAMPP when I ran a NEWZNAB server, so it can't that different

[shorty1483 450]

sorry for being think. i'm new to this stuff.

 

so i have my cert.pem which contains my cert and ca. i created a hash from it. so this is my intermediate. how do i get a ECDSA and RSA hashes?

 

The certificate for your domain/subdomain is signed with a private key file. This one is an ECDSA or RSA key. When you use Let's Encrypt without an own Cert Request and ECDSA key, you have a RSA cert+key because that's the default in Let's Encrypt. Additionally you have a ca bundle from Let's Encrypt with the intermediate. My case is a special one because I generated the same cert two times with differt key formats to offer mximum compabilty for devices since ECDSA is faster than RSA in SW mode.

 

Now you generate the hash from your certificate:

openssl x509 -in yourdomaincert.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

After that you take the ca bundle with thew intermediate and extract the hash also:

openssl x509 -in ca_bundle.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Now take the two hashes and put them into the nginx command from the other post.

 

Good basic tut: https://gist.github.com/esurdam/ef72f1c47be7c074499cb920683bd307

[Swynol 375]

wow thanks for the explanation, starting to make sense now.

 

ye i have my cert hash and the ca_bundle hash. wasnt sure how to get the ECDSA. i do have a lets encrypt CSR

 

EDIT: out of interest is there a way in NGINX to set the headers in one place for all my blocks? so far i have to copy and past alot of duplicate stuff to each server block.

Edited May 10, 2017 by Swynol