Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I am running a number of SSL-encrypted websites, and need to generate certificates to run on these. They are all internal applications, so I don't need to purchase a certificate, I can create my own.
I have found it quite tedious to do everything using openssl all the time, and figure this is the kind of thing that has probably been done before and software exists for it.
My preference is for linux-based systems, and I would prefer a command-line system rather than a GUI.
Does anyone have some suggestions?
An option that doesn't require your own CA is to get certificates from CAcert (they're free).
I find it convenient to add the two CAcert root certificates to my client machines, then I can manage all the SSL certificates through CAcert.
I know you said you prefer the command line, but for others who are interested in this, TinyCA is a very easy to use GUI CA software. I have used this both in Linux, and also in OSX.
It's likely that self-signing will give you what you need; here is a page (link resurrected by web.archive.org) that provides a decent guide to self-signing if you would like to know the ins and outs of how it's done and how to create your own script.
The original script link from this response is unfortunately dead and I was unable to find an archive of it, but there are many alternatives for pre-rolled shell scripts out there.
If you're looking for something to support fairly full-featured self-signing, then this guide for 802.1x authentication from tldp.org recommends using the helper scripts for self-signing from FreeRADIUS. Or, if you just need quick-and-dirty, then Ron Bieber offers up his "brain-dead script" for self-signing on his blog at bieberlabs.com.
Of course there are many alternative scripts out there but this seems to give a good range of choices, and with a little additional info from the guide you should be able to tailor these to do whatever you need.
It's also worth checking the SSL Certificates HOWTO. It's quite old now (last updated 2002) but its content is still relevant: it explains how to use the CA Perl / Bash script provided with OpenSSL software.
The XCA software appears reasonably well maintained (copyright 2012, uses Qt4), with a well-documented and simple enough user interface and has packages on debian, ubuntu and fedora.
Don't judge the website at first sight:
http://xca.sourceforge.net/
Rather, check this nice walkthrough to add a new CA:
http://xca.sourceforge.net/xca-14.html#ss14.1
You can see a screenshot of the application there: http://sourceforge.net/projects/xca/
It is GUI-based though, not command-line.
There's a simple webpage solution: https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10
I like to use the easy-rsa scripts provided with OpenVPN. This is a collection of command line tools used to create the PKI environment required for OpenVPN.
But with a slight change of the (also provided) openssl.cnf file you can create pretty much anything you want with it.
I use that for self signing ssl server certificates as well as with Bacula backup and for creating private keys/csr's for "real" certificates.
just download the OpenVPN community edition source tarball and copy the easy-rsa folder to your linux machine. you'll find lots of documentation on the openvpn community pages.
I used to use CAcert, it's also nice, but you have to create the CSR yourself, so you have to use openssl again and the certs aer only valid for half a year. this is annoying
I created a wrapper script, written in Bash, for OpenSSL that might be useful to you here. To me, the easiest sources of user error when using OpenSSL were:
Keeping a consistent and logical naming scheme for configuration/certs/keys so that I can see how every artifact fits into the entire PKI by just looking at the file name/extension
Enforcing a folder structure thats consistent across all CA machines that use the script.
Specifying too many configuration options via CLI and loosing track of some of the details
The strategy is to push all configuration into their own files, saving only execution of a particular action for the CLI. The script also strongly enforces the use of a particular naming scheme for folders/files here which is helpful when looking at any single file.
Use/Fork/PR away! Hope it helps.
Related
Secure sockets use a CN check against certs in a trust collection with the domain accepting or connecting. For myself I created a private and public set for localhost and that helps me debug locally. If I wanted to offer an SDK, would it be considered secure to distribute a .key and .cer X509 for this localhost debugging use-case? Or is it always not considered secure to have a .key in any open space at all, because of its potential misuse?
Sorry if this is discussed in other places but I cannot find out a clear answer on it.
This might be somewhat opinionated and also depends on your project somewhat, but I think the main risk is how people will actually use those. Some of them will use it for production for sure, because it is easier, or they don't understand keypairs and just want it to work and so on.
Any project should be secure by default, for everybody involved, including endusers and developers as well if your project is something like a library or component. Secure by default in this case would mean not providing an actual keypair, because that would potentially be a backdoor in case of at least some of its uses - even though it was not meant to be used like that.
Another thing to consider is the reputation of your project. If you include a key and users misuse it on the internet, it will be easy to find and potentially exploit vulnerable instances of your project with tools like Shodan. Nobody will care the developers did it wrong - it will be your project that's found vulnerable.
A better way to consider would be to provide something like an init script that would generate a key and a certificate for that specific instance. It could still be easy for the user and developer, and also secure for everybody. In case of a linux package, this could even be done by the installer script with most packaging solutions so it would be fully transparent for the user.
I am looking for a way to integrate OpenSSL and Node.js for a while now.
My goals are:
I want to be platform independent, hence a solution should work on OS X, Linux and Windows.
I want to avoid unnecessary disk operations. E.g., a private key might not be in a file, but in a database (may be a stupid example, but let's consider this to be a valid requirement).
I want to support creating keys, csrs, signing csrs, creating ca certs, ... all the certificate stuff, from end to end.
Now the options I have considered are:
Use the OpenSSL library which is integrated within Node.js. Unfortunately, the crypto module does not provide the certificate things.
Use the OpenSSL library using an external module. Unfortunately, I don't know how to do this, probably due to missing knowledge in C/C++.
Use the OpenSSL binary as a child process. Given that OpenSSL is available, this should work on all platforms. It's not nice, but it works.
Question #1: As I have written I do not have the slightest idea on how access the OpenSSL library directly that comes bundled with Node.js. How would I approach this?
At the moment, I stick with using the binary as a child process. Unfortunately, this requires that all the things such as private keys and so on are either given as files (which I explicitly want to avoid), or that I hand over everything using /dev/stdin (which does not work on Windows).
Question #2: How could I deal with this? Would a solution to #1 solve this issue, too?
The answer to question #1 is that you cannot. Without bindings, you can only access the functions exposed by nodejs.
Unfortunately there doesn't seem to be a way work around for /dev/stdin in windows. Namedpipes would be an option but nodejs does not support them. You may be able to have nodejs launch openssl.exe in interactive mode and send commands through stdin, and read the output through stdout but this seems very inefficient.
So the answer is question #2 is that you cannot deal with the windows problem.
Writing your won binding seems to be the only option. It's actually not so difficult - something I'm sure you could get collaborators to help with.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
i've always wanted to make some of our companies products open-source..but we have a lot of things in our source code that would make us vulnurable. How is this handled in most open source projects? For example, we use some custom web services to do actions to our database (Add accounts, delete accounts, ect). The source code would have to contain the key (password) we use to use the web service. If someone wanted, they could grab the source, get the key to use our web service, and wreck havoc on our database.
Are these just projects that should not be open source? Or is it common to just put the sensitive stuff in a file or something and not include that part? (Although doing this, would make the source kinda useless for the public since it would lose it's functionality).
Any links or resources on open-source projects and how this kinda stuff should be handled would be nice.
Thanks
Passwords and senstitive data are best not included the source file. If you look at the design of open-source software like PHPMyAdmin, a config file is provided to add in those information, and are usually stored in the root folder of the webhost (or anywhere outside www folder).
So the idea is that if your website use some info to link to a service, you should hide them away in a file as well and ask your user to provide the password and to create their own account.
Would it not be possible to put your sensible data into a configuration file? This will also allow other users to easily add their own sensitive information etc.
You should not include the sensitive data into the public, so one option could be to make a public API for the services, and then the users would need to create an account to get an API key for the data.
I don't think this should stop you from Open Source the products, but I think you need to rethink the way the data is handelend trough a public API.
If you're hardcoding a database password in your code, you're doing it wrong. As others have pointed out, you should store that in a separate and protected configuration file.
If you distribute your code, be it the source or just a binary, that password is out there and can be recovered by anyone that cares to do so. Hardcoded passwords in binaries are often a trivial matter for a hacker to recover.
Though program codes are open-source, your sensitive data is not. Never "provide" your data to others.
Normally, one-way hashing verification can already be used as basic encryption.
If extra security is needed, use an extra measure, like public & private keys & pre-shared passwords.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
I have recently installed Subversion onto a Linux server (CentOS) and everything works great.
I am wondering if there are any web interfaces available for managing the repositories i.e. create / delete repositories, manage users and permissions, view revision history, etc.
The idea is that I can do everything via a web interface instead of using SSH.
Incidentally I have Plesk/virtuozzo on this server (and Webmin on another test server) so if there is something that can integrate directly to these then even better!
The Subversion people have a links list which references a ton of material related to Subversion including management and different web interfaces.
I haven't used it, but Submin might be what you're looking for.
If you're looking for simple repository browsing mod_dav_svn is minimal and works.
Trac was already suggested, but that has more bug-tracking-wiki-project-management features, but very little administration of SVN out of the box.
Take also a look at:
http://www.usvn.info/
This may be a repeat of what others have said, but I've looked at many options. The best may be these:
submin (Linux)
VisualSVN (Windows)
RVskin (for Linux/cPanel)
Creating your own custom Subversion management layer inspired me to check into VisualSVN, but I have not tested it though.
Trac may serve your purposes, but I'm not sure how much control over the actual day-to-day SVN commands it gives you. It does have a very nice interface for viewing SVN revisions however. Have a look here for an example of a Trac page for gosmore, and OpenStreetMap routing program to get an idea of what it is like.
There is also websvn and viewsvn, but I can't seem to find any that actually allow you to upload files to check in or anything like that. They are all aimed at viewing the repository, downloading files, viewing logs and comparing revisions.
In terms of the day-to-day check-in, check-out stuff, you are probably better off using the svn command or a friendly GUI like TortoiseSVN (if using from Windows) for that sort of thing.
SVN professionals suggest Subversion Edge.
Install and Update: Certified binaries, wizard driven installers with 1-click updates
Repository Management: Create, manage, browse, and local backup
User Management: Manage roles, permissions and access rules
Administration: Authentication, server management and health analytics
Desktops & IDEs: Eclipse, Visual Studio, AnkhSVN, Subclipse, and more
Cloud Services: Public cloud backup and restore to CollabNet CloudForge
TeamForge: Adds multi-server Subversion replication, code governance, improved network performance, as well as Agile ALM through DevOps
Git: Upgrade to TeamForge from SubversionEdge to manage your Git and SVN repositories within one environment
I'm really excited about it and am currently setting it up (it is Java application, so it takes some time to set it up properly compared to an ordinary web UI).
You may want to checkout VoilàSVN or OpenGrok
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm in the process of testing my application with respect to security.
Aside from Fiddler, Charles and Poster (Firefox plug in). Are there any other free to use https interception (and editing) applications out there? Especially ones which can be installed w/o admin privileges.
Achilles comes to mind, but I don't think it can handle https traffic.
Achilles does work on HTTPS traffic, but they note on their site that it is not the best tool any more.
Their suggestions are Burp Suite and WebScarab both of which I highly recommend.
OWASP ZAP - its free, open source and cross platform.
Its also the most active open source web security tool and came first and second in the last 2 'Top Security Tools' surveys run by Toolswatch.org (2013, 2014)
It was originally forked from Paros, which is no longer maintained, but it now has loads more functionality.
Its an OWASP Flagship project having replaced WebScarab, which is also essentially no longer maintained.
Simon (ZAP Project Lead)
Wireshark is amazing. It captures everything on the network so you'll need to filter down to http/https: http://wiki.wireshark.org/CaptureFilters.
There are a few programs that I would suggest.
Paros Proxy and Ratproxy have already been noted.
scapy is a powerful packet manipulation tool, and has all of the sniffing and monitoring capabilities as well.
dsniff is a suite of tools that allows manipulation, injection, and all sorts of interception and modification options.
There is also a plugin for IE called Tamper IE that has a simple GUI based packet editor.
All of these are free.
Doing more research I came across Paros Proxy. Seems to be a good alternative to the
others.
I'd strongly recommend HttpWatch. I believe the basic version is free and captures your HTTPS traffic to some extent. The Professional version is worth the money.
Have a look at ratproxy. It may not be exactly what you're asking for, but is very useful in testing the security of your web app.
Rather than intercepting HTTP and allowing you to edit or replay requests, it installs as a proxy and monitors the normal use of your web app, and then provides a report on possible security issues, along with their severity. It can also be configured to attempt active XSS or XSRF attacks where it thinks there is a vulnerability.
The site says "Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments" but I've only used it on Linux.
Check HTTP Debugger Pro
It is proxy-less solution and have zero impact to the transferring data.
Also it has modern user interface :)