Achieve ‘A’ rating on SSLABS server test using IIS 8.5 Windows 2012 R2

Do you want to reach the heights of having an A graded server on SSLABS server tests? 

First thing you need to do on a fresh install of Windows server 2012 R2 and IIS 8.5 is disable SSL3 functionality, this can be achieved by following this guide. Come back here once you have done this.

Below is the Cipher Key string that I put into the Local Group Policy Editor. To do so click the Windows icon and type in gpedit.msc and press enter to launch the Policy Editor.  Open on the left the folder titled ‘Administrative Templates / ‘Network’  / ‘SSL Configuration Settings’ & double click on ‘SSL Cipher Suite Order‘ to open. Now Enable the SSL Cipher Suites and copy and paste the below list in. Click OK and restart your server, now run the SSL server test again to see the result.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Cipher suite from above all on one line for copying into GPEDIT.MSC

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

The following 2 Cipher’s currently only work on Windows server 2016 & IIS 10

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

*Note: I’ve included ‘TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256‘ & ‘TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384‘ in a separate code block below the main cipher keys, although these do not currently work on Windows 2012 with IIS 8.5 – I’m hoping that a patch with come through from Microsoft soon which enables them, as these will take the ‘A’ to an ‘A+’ rating, as they do when using Windows Server 2016 IIS 10.

So if you are using IIS 10 on Windows Server 2016 then add these to the top and removed the bottom two as all keys will not fit within the cipher field.

Chrome updates disabled by Administrator?

You might run into this issue in a large corporation, where an overzealous Administrator thinks that they know better than Google and therefore try and stop your machine from staying up to date with the latest Google release.

Please note to edit your Registry you need to be a Local Administrator.

To ‘fix’ this issue, it might need to done using a batch script as your policies might get reset on each login or at a set time.

Run the Registry Editor, Start/Run: regedit

Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update

Double-click at the UpdateDefault or DefaultUpdate (depends on what version installed)

Change the 0 to a 1

Exit Registry Editor and return to the Help/About Google Chrome section,  your browser will then start to auto update!

IIS 6 Http to Https Redirect

Yes, why on earth would you still be using a server which can only support IIS6?! But somethings in this world cannot be pushed into the future fast enough, in the case of our organisation there are quite a few Windows 2003 servers which are still in use, which is shocking.

So what do I need to do to get a redirect in place?

Create a blank file called HttpRedirect.htm in the directory root of your website, copy in the below code.

<!-- beginning of HttpRedirect.htm file -->

<script type="text/javascript">

function redirectToHttps()

{

var httpsPort = ":4443"

<!-- Add +httpsPort after the window.location.hostname if the standard https port is not 443 -->

var httpURL = window.location.hostname+window.location.pathname;

var httpsURL = "https://" + httpURL ;

window.location = httpsURL ;

}

redirectToHttps();

</script>

<!-- end of HttpRedirect.htm file -->

Set the 403.4 error page to use this file instead of the regular error file. Do this in IIS6, right click and select ‘Properties‘ on your website, click on ‘Custom Errors‘ tab, find 403.4 in the list click ‘Edit‘ and ‘Browse‘ point it at the file which you created above.

Select the ‘Directory Security‘ tab, select ‘Edit’ in the Secure Communications section

Check on the ‘Require secure channel (SSL)‘ option. (This will only allow pages on this site to be viewed only with Https.)

Now browse to a URL on this website and your be redirect from http to https.

Lost your BASH’fulness?

The dreaded moment when you are on your Unix / Linux server and you type ‘ls‘ and up pops ‘Command not found‘.

Before running about screaming, asking yourself why did you run that last command.

Check your PATH

$ echo $PATH

If yours is not showing /bin , /usr/bin or /usr/local/bin directories, then this is why you are getting ‘Command not found‘ these are the directories that hold the systems user commands.

So, you’ll need to add them back into the PATH

export PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Now try the ‘ls‘ command again. It should now work.

If you want to change it later, do

export PATH=$PATH:/my/new/directory

That way it will keep the existing PATH and add the new directory to the end.

If you need to add the above so it is available at startup, you need to Google your “(OS) add path to startup” or “(OS) add path to profile“, there is too much and too many OS variations on this topic to be covered here.

Port opened? Telnet is your friend

Do you want to know if the problem you are having is a network \ firewall issue?

You can simply use Telnet to check if the port you are trying to connect to is open or not.

You can test any port using this simple method, not just connections open to telnet.

First off you need to install Telnet Client on your machine.

To do so, open a command prompt window. Click Start, type cmd in the Start Search box, and then press ENTER.

pkgmgr /iu:"TelnetClient"

Next step close the current command prompt and reopen it again, this is so the path to Telnet which you’ve just installed will work.

Now type the connection & port to test

telnet <server> <port>

Example

telnet google.co.uk 80

If it goes to a blank screen or a screen with funny characters then this means that port is open.

If you get :

Connecting To google.co.uk..Could not open connection to the host, on port 80:Connect failed

Then you’ll need to get onto your network team to open some firewall rules for the required port access or iptables if on unix servers.

Grizzly AppDynamics SSL issue

I’ve been trying to get an SSL certification on our AppDynamics server, to no avail. on startup I just get the following, repeat, see code block below.

When I go back to the original self signed keystore.jks file in AppDynamics\Controller\appserver\glassfish\domains\domain1\config then AppDynamics starts up fine.

I’ve tried every way of getting the SSL certificate into the keystore, it imports without error, but then displays this on boot up in the server.log ‘ProtocolChain exception’.

I’ve tried extracting the private key and rebuilding the p12 file with that and the certificate, using openssl as the AppDynamics manual says:  openssl pkcs12 -inkey key.pem -in appdynamics_mmu_ac_uk.crt -export -out keystore.p12

[#|2016-01-28T22:14:08.356+0000|SEVERE|glassfish3.1.2|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=51;_ThreadName=Thread-5;|ProtocolChain exception
 java.lang.NullPointerException
 at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:352)
 at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:399)
 at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:159)
 at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
 at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
 at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
 at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
 at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
 at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
 at com.sun.grizzly.ContextTask.run(ContextTask.java:121)
 at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:554)
 at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:533)
 at java.lang.Thread.run(Unknown Source)
 |#]

Solution

Hidden in the manual, right at the very bottom, after the section which you are reading, it reminds you to make sure that your ‘s1as‘ certificate has the same password as the keystore..

https://docs.appdynamics.com/display/PRO42/Controller+SSL+and+Certificates

Changing the master password with asadmin changes the password for the keystore and for the s1as key. It does not change the password of any additional keys you have added to the keystore. However if you have added keys to the keystore, you need to change their password to match the new master password. Use the keytool to change their passwords as follows:

keytool -keypasswd -alias s1as -keystore keystore.jks
-storepass <new master password>

2015 in review

The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 60,000 times in 2015. If it were a concert at Sydney Opera House, it would take about 22 sold-out performances for that many people to see it.

Click here to see the complete report.