WordPress TLS Related Issues – Curl Peer Certificate Trust Issues – Centos 7

WordPress TLS Related Issues during Upgrade Process

  • Issue Definition

    • Trusting Internal TLS Root Certificates using standard /etc/pki/tls/ca-trust/source/anchors/cert.crt and using update-ca-trust does not resolve CURL errors when performing theme, plugins or word press version upgrades.

  • Fault Resolution

    • Due to wordpress using a localized CA-BUNDLE file located at $WORDPRESSWEBDIR/wp-includes/certificates folder location.
    • Ensure that you cat the .pem format certificate “—–BEGIN CERTIFICATE—– AND —–END CERTIFICATE” format.

  • Fault Catches

    • This is a temporary fix up. During an upgrade, the certificate bundle file will be overwritten and you will need to re-trust the certificates.

  • To Do

    • Find the code that hard codes the ca-bundle.crt file located at $WORDPRESSWEBDIR/wp-includes/certificates and map it back to /etc/pki/tls/certs/ca-bundle.crt which maps to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file (symlinked).
    • Need to determine whether this is possible as the web service may not be able to read the file located at this location, which is generally owned by owner root and group root.

OpenVas v9 Custom Server Certificate – Centos 7

Installation of internally signed certificate for OpenVas 9

Steps:

  • Customize /etc/sysconfig/gsad
    • Add TLSKEY=pathtoprivatekeyfile (“/etc/pki/tls/private/xyz.key”)
    • Add TLSCERT=pathtocertificatefile (“/etc/pki/tls/certs/xyz.crt”)
      • Ensure that private key file is chmod 660 and owned by root.root [gsad and openvassd/openvasmd run as root]
  • Customize /usr/lib/systemd/system/gsad.service [“Added private key and certificate options”]
    • ExecStart=/usr/sbin/gsad –listen $GSA_ADDRESS –port $GSA_PORT –ssl-private-key $TLSKEY –ssl-certificate $TLSCERT $OPTIONS
  • Enter systemctl daemon-reload as systemctl files were changed.
  • Customize /etc/openvas/openvassd.conf
    • Comment cert_file, key_file and ca_file lines.
    • Add cert_file=/etc/pki/tls/certs/xyz.crt [“Server Certificate File”]
    • Add key_file=/etc/pki/tls/private/xyz.key [“Server Private Key File”]
    • Add ca_file=/etc/pki/tls/certs/ca.crt [“CA Certificate File that signed the Server Certificate”]
  • Restart both openvassd, openvasmd and gsad services.

Arduino – ESP13 – 8266 – ESP8266MOD – How to Flash

Issues: This is a work in progress – looks like the firmware isn’t the correct version. Arduino IDE doesn’t appear to allow programme upload, fails. Debugging…..
Parts & Key Info
  • ESP-13 Wifi Shield (Purchased from Jaycar NZ)
  • 1 x 10KB resistor (Brown, Black, Black, Red, Gold) – connects between GPIO15 and GND (inline for amateurs like me)
  • FTDI USB to Serial TTL Converter module (purchased from hobbyist.co.nz – Thanks guys – mission to find a business that had one in stock)
  • Couple of 6 – 8 cables, male and female. (Used for jumpers between the GPIO0, GPIO2 and GPIO15 pins (GPIO0 LOW (GND), GPIO2 HIGH (+5v), GPIO15 LOW (GND).
  • Download the v1.3.0.2 AT Firmware.bin
  • Sudo apt-get install esptool (Used Ubuntu 16.04 distro on this occasion but should work with Windows based flashing tools)
  • Command to use esptool -cp /dev/ttyUSB0 -cb 115200 -ca 0x0000 -cf /location/of/firmware.bin -cc esp8266 (in my case, open arduino IDE and confirm what the tty line will be). Ensure that the switches on the board are both up (closest to the exterior of the board)
    Diagrams of the Physical connections
Wiring for flashing – note GPIO0 and GPIO15 are tied to GND, GPIO2 is tied to +5v Note – White is +5V, Purple is GND, Brown is RX, Black is TX (bottom left four wires), 10k resistor goes to GPIO15 (directly below “d” in duinotech), GPIO2 goes to GND (center) and GPIO0 goes to +5V (center).
FTDI USB Serial TTY Module – Note, red and gray wires are not used! (p1 is red, p5 is purple (GND) Order is: Purple, Gray, White, Black, Brown, Red (p5 –> p1).
Evidence

$ esptool -cp /dev/ttyUSB0 -cb 9600 -ca 0x00000 -cf /home/andy/Downloads/XC4614\ Wifi\ Shield/Firmware/original\ firmware/v1.3.0.2\ AT\ Firmware.bin -cc esp8266
Uploading 1044480 bytes from /home/andy/Downloads/XC4614 Wifi Shield/Firmware/original firmware/v1.3.0.2 AT Firmware.bin to flash at 0x00000000
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

Notes – Vulnerability Scanning

Info contained here is intended to be publicly available – Lab Environment Findings based on results from Lab Environment and due diligence exercise with intent to take away learnings and apply elsewhere in a secure manner!!!

Exercise Caution if restricting Production grade systems using settings defined in this guide – there may be situations where doing so will impact systems which customers/clients rely on accessing using older browsers. If backwards compatible is concerned, first perform due diligence by baselining access through logging or manual validation prior to enacting the changes!! 

Finding’s Notes:

  • If using keepalived to publish VIPs, consider what services are running on the underlying Operating System and what interfaces AND/OR IP addresses the daemon is bound to. Example;
    • Keepalived A-P cluster publishing multiple VIPs (for load balancing) will listen on the port configured in keepalived.conf but would also permit the logical connectivity to SSH daemon which by default listens on 0.0.0.0. The net result of this finding is that you could inadvertently open up management services on VIPs unintentionally.
      • Takeaway(s):
        • Always enforce source/destination/service rules when using IP tables so that if daemon is misconfigured, you don’t inadvertently expose services.
        • Always bind services to IP addresses – Going to be a bit hard to do this if dealing with automation and system cloning etc where re-addressing may be required (micro management of hard coded IP addresses in configuration files will be a headache).
          • Consider dynamically capturing IP address in global variable and referencing that in configuration files where network interface IP address may change.
  • SSH Findings;
    • Change default “ListenAddress” from 0.0.0.0 to IP address of choice.
      • Consider also changing IPv6 if network is IPv6 capable and those services are in use. Also review host based firewall to determine if enforcement for both IPv4 and IPv6 is effective.
      • Centos 7 by default, sshd does not contain ciphers line. Add the following like to sshd_config and also. ***Compatibility – Some SSH Clients will not work if they don’t negotiate these ciphers – be warned!***
        • Removed 3DES, Blowfish, Cast, ArcFour and AES ciphers <=192
      • # Removal of Weak Ciphers - Consider Compatibility!!
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  • HTTPS Web Service Findings
    • MAC OSX Finder creates _DS* files in folders which client accesses. Result is that  the file may be inadvertently exposed to users who have logical path way to the service.
      • Action: (Add explicit block in httpd.conf or specific virtual host file)
        Block MAC OSX Finder DS file from being accessible via WebSite which may leak information regarding file/folder structure<FilesMatch “^\.[Dd][Ss]_[Ss]$”>
        Order allow,deny
        Deny from all
        </FilesMatch>
      • Consider possibility that developers may be using MAC OSX and potentially leaving residual bits of information lying around irrespective of SDLC environment in which they are operating in.
    • Remove weak cipher suits from httpd
      • TLSv1.2 was enforced but the following weak ciphers were still actively in use; RC4 and SEED primarily.
        TLS_ECDHE_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_SEED_CBC_SHA

        • Add this to your virtual host(s); ** Be mindful of compatibility **
          • SSLCipherSuite High:!Medium:!aNULL: !MD5: !RC4
      • Disable Debugging Features in httpd
        • Perform against all virtual hosts including the defaults if they still exist;
          • # Remove TRACE and TRACK methods – Security Enhancement  RewriteEngine on
            RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
            RewriteRule .* – [F]
    • Remember to disable welcome pages that are of no use to the general public and are representative of a  slop and drop deployment which may indicate security oversight and which may mean a higher likelihood of successful compromise if attacked.
  • IMAPS Security Issues (DoveCot specifically)
    • Weak Diffi Hellman Key Used, default 1024.
      • Modify /etc/dovecot/conf.d/10-ssl.conf by uncommenting ssl_dh_parameters_length = 1024 and changing the value to 2048. I set it to 4096 which may result in performance penalty on very busy servers. Assess the importance of your mail service to determine if offline decryption risk from powerful adversaries is important to you.