certificates – Is this nginx config suitable to enforce proper authorization?


I have a website secret.example.com, which contains information which must not be disclosed to third parties. In order to protect the information, TLS client authentication was chosen. Whether or not a client is authorized depends on them possessing a client certificate which is signed by the internal CA.

The Configuration

The following snippets of the configuration file provide the client authentication:

ssl_client_certificate  /etc/ssl/nginx/secret.example.com/cert/ca.pem;
ssl_verify_client       on;

The file ca.pem contains a self-signed certificate authority, created via the following openssl command:

 openssl req -new -x509 -nodes -days 1460 -key ca.key.pem > ca.pem

Client certificates would then be signed by this root CA.

What I have tried so far

  1. Send a certificate signed by the CA – This results, as expected, in the website being displayed correctly.
  2. Send no certificate – This results in an error returned by the server, claiming no client certificate was sent.
  3. Send a self-signed certificate by a CA with the same details as the real CA – This results in the error message “The SSL certificate error”, which is not very descriptive, but still does not allow an attacker to see the confidential information.

My question

Is this configuration sufficient to enforce proper authorization? Or does an attacker have any possibility to still access the confidential information?

In order to scope the question further, the following scenarios are explicitly not in the scope of the question:

  • Vulnerabilities in nginx (however, “gotchas” in the configuration are in scope)
  • Disclosure of information through other sites (e.g. debug.example.com allowing LFI)
  • Direct attacks on the physical server
  • Attacks on the machine of a user, causing disclosure of a client certificate and private key

openssl – I need to use an SSL certificate for Linux and Windows. Will my Linux certificates stop working if I re-issue a certificate for my Windows Server?

I am new to this whole SSL thing. I need to use the wildcard certificate I bought on multiple Linux servers and a Windows server. I already installed (?) them on the Linux servers, but I’m having problems installing them on Windows (following this: https://www.thesslstore.com/knowledgebase/ssl-install/microsoft-iis-8-ssl-installation/). I am assuming that I need to re-issue a new certificate for the Windows server since it is using IIS 7. My question is, if I reissue the certificate with a new public key, will the already installed certificated stop working? Apologies for the beginner question, I just want to make sure I’m doing things right.

certificates – How does this unsigned exe launch without the windows 10 SmartScreen warning?

So, I have been working on my own project for which I have been looking into certificates and such. While browsing reddit I found a game which I can launch the exe file, expecting to get a Windows 10 warning message, such as occurs for most games on itch.io, and for my own unsigned applications. To my surprise however, the game just straight up launched without any Windows 10 SmartScreen appearing. This is despite the program not appearing to have any digital signature in the file properties.

How is this possible?

I can only think that it was signed, but for some reason it is not showing that the program is signed.

The game was MidBoss (a legitimate game which is on itch.io and steam) which I downloaded the windows main from: https://midboss.net/classic/

I expected to get a warning like this, but no warnings whatsoever were displayed.
Windows 10 smart screen warning

The properties of this application have no digital signatures tab.
Properties of application

Unlike this application which has been signed.
Application which was signed

interaction design – Best UX online courses and certificates for a software developer

Stack Exchange Network

Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

openssl – number of crl certificate(s) or pem certificate(s) present in p7s file

Q. How can we find out the number of CRL files or number of PEM files that can be generated from a P7S file?

I understand ( from here ) that the data that is contained in a P7S file is nothing but the encoded(in ASN1, DER format) data of PEM file.

So, if have a P7S file which encoded in (in ASN1, DER format), i use some OpenSSL commands to get ASN1PARSE data and from which i get CRL(s) and at last i get PEM(s).

I know ASN1PARSE when used with OpenSSL gives some text file which contains some offsets , header lenghts and lengths, by using which we extract the above mentioned CRL(S) and PEM(S).

Now my question is , as mentioned in first line of post, how can i know i am generating the right number of files(crls,pems) from P7S file?

certificates – Solar Winds / Orion SAML compromise mass cert update

Solar Flare / Orion customers have suffered some network compromises according to news reports.

One report says, right at the end of the article, that SAML2.0 signing certificates may have been compromised.

From the point of view of a SAML service provider (that’s me!), this means cybercreeps can spoof Assertions (credentials) to our service. Our customers definitely don’t want that. Neither do we.

It seems likely our customers who

  1. use SAML and
  2. were hit by those cybercreeps

will want to change their SAML public keys on our system and systems like it. Quickly!

The CA and certificate revocation stuff built in to browser TLS won’t help: many of these SAML signing certificates are self-signed; they’re just used for crypto key exchange for document signatures.

For this specific kind of infosec emergency are there any best practices for handling this sort of cross-system mass scale cert update? I’d even want to see some actual practices….

wi fi – No option to choose “Do Not Validate” under “CA certificates” when connecting to PEAP/MSCHAPV2 WiFi (Android 11)

I can’t connect to campus WiFi anymore after installing latest ROM with december 2020 security patches. The configuration is PEAP/MSCHAPV2. Under CA certificate, we usually choose “Do not validate” but now CA certificates is set to “Use system certificates” and can’t be changed. “Use system certificates” setting requires Domain name which I don’t know and have never needed to use before in any ROM.

See the screenshot.

Is there any workaround to choose “Do not validate” in “CA certificate”?

certificates – offline root CA workflow

I have reviewed several discussions here regarding offline root CA management. While useful, none quite capture my question.

Firstly it presumably would not be generally assessed as an ‘offline’ root if its key is in a network connected HSM, no matter how protected (with a PIN, behind firewall, etc)?

In my setup a physical laptop or desktop, which can be disconnected and off and physically secured is probably not feasible. So I’m thinking of something like a Tails bootable USB. Boot from this on a host and use an encrypted partition of Tails to store the root key and thus issue the root CA from that environment.
As the online intermediate signing CA cert has to be issued by the root and be online (with key via an HSM), how do I get that issuing CA certificate request into Tails to create the certificate sufficiently securely? This seems that sneaker-net is essential and the use of USB storage is mandatory.

Does having two HSMs make a good solution? One contains the root CA key, which is powered off except when needed, and another online one for managing the issuing certificate’s key?

Publishing a CRL by the root CA is another component of the ecosystem that is tricky.

Another aspect of which I am unsure is if creating, as far as is possible, a known untampered Tails USB instance is possible, is its use on a general use laptop or desktop safe enough? If the USB is read-only I can’t store anything on it – such as an issued certificate. If it is read/write then a vector exists to compromise it from the laptop/desktop on which it is used.

I’m seeking opinions on the workflow for using ‘offline’ root CAs more than the technical steps involved. I realise these design decisions are driven by risk appetite and consequences. Guidance and the lived experience would help. Thank you.

certificates – Spoof publisher info on Windows applications

Let me start by acknowledging that I have absolutely no experience with Windows development and this is purely for academic purposes. I apologize for incorrect terminology and welcome corrections or good resources.

When we run a program from an uncertified vendor we get a security warning from Windows indicating that the software comes from an unverified publisher. (i.e. https://www.remosoftware.com/info/wp-content/uploads/2016/06/Unverified-Publisher.png)

Is it possible to set the publisher info displayed there? I don’t care whether or not windows displays warnings and alerts telling the user that it is unverified. I don’t mean to spoof a certificate or bypass the warnings. An example would be the user running the program and receiving the warning above with “Apple Inc.” instead of “Unknown Publisher”.

I have seen many different Stack Overflow posts on the topic but overall I am very confused by the Windows ecosystem and different types of projects/templates that can be used. I ended up creating a Winforms project and I am using Installer Projects. I tried setting the deployment project properties fields but it did not work. I created a temporary certificate and I am signing the ClickOnce manifests as well as the assembly on the Winforms project.

In the end, I just want to know whether or not it is possible.
Any help is appreciated!

certificates – Provide TLS keystore with self-signed cert for localhost with the application – good idea?

My company provides an integration component, along with a huge web application that is used in intranet scenarios from Citrix terminal servers. This integration component — let’s call it CS — is implemented in Java and is launched in the context of each user upon login using the autostart feature of Windows.

The web application is loaded through HTTPS. JavaScript code in the webapp than connects to the integration component using both unencrypted HTTP and WebSockets. This connection uses the loopback address only. This only works in Chrome and Chromium-based browsers, Firefox does not allow this. But that’s OK, as Chrome is the platform for our web app. No warnings about the unsafe connection are shown to users, as this is done completely in the background, invisible to human users.

Developers now want CS to also display HTML content. This basically forces us to encrypt the communication between the web app and CS.

One approach is to install a PKCS#12 keystore along with CS that contains a TLS certificate and private key exclusively for the DNS name localhost. We would also provide the certificate with its public key to the admins so that upon installation it can be automatically imported into each user’s Windows certificate store. That way, the browser would mark the connection to localhost as secure.

Would this be a valid approach from a security point of view or are there security implications that we have not considered? I generally do not like to provide a private key to various users, even if it can only be used for the name localhost. I cannot come up with any concrete threat however. Is there anything I don’t see?