Remove SSL anonymous authentication a+ upgrade SSL version

Question

Remove SSL anonymous authentication a+ upgrade SSL version

Closed this issue 4 years ago · 4 comments

Hello,

Thanks for developing such a great tool.

We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:

SSL Server allows Anonymous Authentication
SSL/TLS Server supports TLSv1.0

Their proposes solutions are, respectively

Disable support for anonymous authentication to mitigate this vulnerability.
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

Is there a way to do implement these modifications for the DSA?

Thanks,
Andrew

Answer 1 · 2020-05-15T21:19:14.000Z

Are you using an nginx proxy or just the DSA on port 8080?

…

On Fri, May 15, 2020, 1:21 PM choosehappy ***@***.***> wrote: Hello, Thanks for developing such a great tool. We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points: 1. SSL Server allows Anonymous Authentication 2. SSL/TLS Server supports TLSv1.0 Their proposes solutions are, respectively 1. Disable support for anonymous authentication to mitigate this vulnerability. 2. Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2. Is there a way to do implement these modifications for the DSA? Thanks, Andrew — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#113>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFODTVKW6MMLPUC2TODXTDRRV23FANCNFSM4NBX6EHA> .

Answer 2 · 2020-05-15T21:24:08.000Z

the latter, a standard "python deploy_docker.py" instance, except with forwarding of host port 80 to girder port 8080 i saw in the glimmer channel there was some mentions of nginx proxy with examples, but all the links provided there have died the 2 items requested also seemed relatively trivial, a disable and an upgrade, so thought maybe they could be done in-project for ease of everyone's deployment thoughts?

…

On Fri, May 15, 2020 at 11:19 PM dgutman ***@***.***> wrote: Are you using an nginx proxy or just the DSA on port 8080? On Fri, May 15, 2020, 1:21 PM choosehappy ***@***.***> wrote: > Hello, > > Thanks for developing such a great tool. > > We’ve set up an instance which we would like to make public, but our > university has run a threat assessment and cannot whitelist the post until > we address two points: > > 1. SSL Server allows Anonymous Authentication > 2. SSL/TLS Server supports TLSv1.0 > > Their proposes solutions are, respectively > > 1. Disable support for anonymous authentication to mitigate this > vulnerability. > 2. Disable the use of TLSv1.0 protocol in favor of a cryptographically > stronger protocol such as TLSv1.2. > > Is there a way to do implement these modifications for the DSA? > > Thanks, > Andrew > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#113 >, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/AAFODTVKW6MMLPUC2TODXTDRRV23FANCNFSM4NBX6EHA > > . > — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#113 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACJ3XTDHVFGXEG7INBU43FDRRWWWFANCNFSM4NBX6EHA> .

Answer 3 · 2020-06-18T10:02:37.000Z

setup an apache proxy on port 443 using SSL:

In base o/s:
docker run -it --name apache_proxy -p443:443 ubuntu /bin/bash
docker network connect dsa apache_proxy

Within docker:
apt update
apt install apache2 links nano
a2enmod ssl
a2enmod proxy
a2enmod proxy_http

openssl req -x509 -nodes -days 358000 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

nano /etc/apache2/conf-available/ssl-params.conf

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    # Requires Apache >= 2.4
    SSLCompression off 
    SSLSessionTickets Off
    SSLUseStapling on 
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

    SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

nano /etc/apache2/sites-enabled/000-default.conf
#NOTE, replace ip address with IP address of docker girder instance

    <VirtualHost *:443>
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined


            ProxyPass / http://172.19.0.6:8080/
            ProxyPassReverse / http://172.19.0.6:8080/


                    SSLEngine on

                    SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
                 SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key




    </VirtualHost>

start apache

Answer 4 · 2020-06-18T16:26:59.000Z

@dgutman @manthey can we capture this in your documentation somewhere?