QUIC Is quicker ;) tip for OPERA

If you use a Opera browser you might have to do some changes to get QUIC support.

QUIC is a experimental protocol that came out with the  Chrome based browsers. Pretty much google has QUIC support in various  applications like google-search and gmail.

In Opera , you have to enable it with the Opera flags  "opera:flags" and search for QUIC

opera:flags

eg

The above state is disable, once you  toggle it to enabled an relaunch Opera you can  triple check by dumping a tcpdump  for traffic  on udp and port 443 and launch your browser at google search

e.g

Optionally you can use opera://net-internals/#quic to monitor quic connections.

Reference one of my  earlier post on QUIC
http://socpuppet.blogspot.com/2016/10/how-to-force-quic-connections-with.html


This site maintains a site listing for QUIC enabled sites;

https://trends.builtwith.com/websitelist/QUIC






NSE Network Security Engineer
{  Fortigate,  PaloAlto ,  CiscoASA }

kfelix   a...t   socpuppets.com
     ^      ^
=(  @  @ )=
         o 

        /  \

how to debug "TLS server extensions" that are supported by a server

TLS server extensions are a function of the various version of the TLS protocol. But how do you know what extensions are supported by the server?

1st you need to know the defined  TLS server extension "IDs", this  listing is maintained by IANA and the listed IDs and RFCs are documented by IANA.

 

Next,  by using  openssl with the tls extension debug  (-tlsextdebug ) you can validate the server support for TLS server extensions and what extensions are  actually supported.

Here's some  examples  I've put together to show you  various differences that's commonly encountered.


Microsoft    IDs 65281, 35, &  5

Cisco         IDs 65281 and 35

Here's  heartbeat support  id15 which did not  translated in the  debug output via openssl

A local email-appliance IDs   65281 and 15

Since the  tls server extension happens before the SSL session is  negotiated,   these messages can easily be displayed via tshark/wireshark and by monitoring the client/server hellos.

Be advise  that that various  forward-proxies can change or remove various extension during the negotiation.








example in my office behind a proxy  the same  microsoft site  now shows;

Now just the single   IDs 65281  shows up.

Ken   Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

cisco ACS max subnet limits 40

When defining your AAA clients,  it critical to be aware of the max ip entries are limited to 40 max in cisco ACS appliance.

 Here's what happens when you try to exceed this set max value;

The easiest means to circumvent this; "  is to craft numerous  device groups,  and keep the entries under  40 items or define a CIDR prefix  ip_subnet instead "


here's some  examples on how you  could  stroke numerous  groups


( Geograohical   )

WEST   /   CENTRAL   / EAST

or

USA1  USA2  EU ASIA AFRICA


And within group just make sure you have  40 or less entries. If you need more address just add more group by appending a number.instance  or  Alpha.Characters


USA1
USA2
USA3
USA4

or

EU1
EU2
EU3
EU4

or

ASIA_A
ASIA_B
ASIA_C

or

ROUTER1
ROUTER2
ROUTER3
ROUTER4


Ken Felix

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

OCSP tool to check certificates revocation status

In a  CA chain of trust  you will  probably see something similar to  the following;

That's the chain of trust where the rootCA signs the intermediateCA and the IntermediateCA signs the server certificate request and issues the certificate.

The chain could be long and deep,  but typical it's 3 or 4 links deep. In this example we will check a Entrust Chain which looks like the following;

The tool we will use is the  ocsptool  tool. It simple but does require you to have the  certificate in  the chain path. You will check each level of the  chain bottom to top all the way to the  Root.crt.

Here's a screenshot of Socpuppets doing just this. The ocsp protocol is being used and you can easily find the ocsp URL via  opeenssl

e.g  ( I'm query my webserver certificate to find the  ocsp responder server uri that we will direct the  OCSP query against )

{ responder URL as listed in the  certificates }
URI:http://ocsp.entrust.net


Okay let's start checking the chain by using ocsptool and the responder ;


1st   The actual web ServerCertificate to the IntermediateCA that signed that cert

 

Next, the 2 intermediates CA

Lastly, the rootCa and IntermediateCA

And finally here's how the display would look like if the certificate was actually revoked.

Using the ocsp tool does the followings

•   ensure that from  the client that ocsp is working
•   that you have a valid ocsp responder  server for  the query &  within that chain
•   allows you to validate any part of the  CAchain from the root to the  end-certificate
•   validate the  Certificate Statues as either good or revoked

What it will not do;

•   validate the expiration date , that's not a function of the OCSP query that's a function of the  web-client
•    will not validate that your web-browser client is actually using the OCSP  services

The OCSP is pretty much reliable and has very few weakness or vulnerabilities outside of attack if OCSP stabling is  in use from the server.


I'm curious if one manages to compromise a  webserver  certificate,  and then attack the OCSP  infrastructure so that the OCSP responders can't not reliably  send the response, could  a web end-user mistakenly connect to a  compromised  website? Most browsers fall thru to allow if the OCSP responder does not respond.

You can learn more about ocsp here https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol


 To confirm if your  web-browser is using OCSP, you can  use wireshark/tcpdump and monitor traffic  to a known OCSP responder address. Every https session to a site that uses that  OCSP rsponder should generate a OCSP request.
e.g

Ken Felix

Ken   Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

gnutls tricks for SSL check

Have you ever used  gnutls-cli-debug  it's one of the coolest tool in the gnutls  suite


Take alook at how easy it is to use and the data reported. Here's a website that does not support  SSLv3 and the output

 

How about google.com search ( notice it supports SSLv3 )

 

The tool can be used to chek mail-server gateways and confirm what is or not supported.

Ken Felix

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

FortiOS v5.6 video

Here's a great source for the  video information  that's available in  FortiOS v5.6 tips/tricks

https://video.fortinet.com/video/252/fortios-5-6-gui-tips-and-tricks?fgt_model=FG1K5D&fgt_version=5.6.0&fgt_build=1449&fgt_page=dashboard


Additional  videos links are available for review and study.

Ken

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

FortiAnalyzer license expirations HOWTO

The fortinalyzer license expiration-time can be  tricky to determine. Here's one sure way. Just ask the appliance for this information.

Keep in mind that not all FAZ  virtual appliances  & versions  will display the license life in the widget that's available from within the WebGUI

reference previous post;

http://socpuppet.blogspot.com/2017/05/fortianalyzer-license-expirations.html


examples.


v5.4.1-build1082 

v5.4.3-build1187

I hope  that  you found this tip very useful




Ken Felix

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \