DeutschEnglish

Submenu

 - - - By CrazyStat - - -

11. September 2012

Zimbra: Setting up a free (real) “commercial” SSL certificate

Filed under: Linux,Security,Server Administration — Tags: , , , , , — Christopher Kramer @ 20:40

I recently wrote about how to configure a new self-signed certificate for Zimbra.

Today I want to explain you how you can do even better and setup a real SSL certificate by Startcom which will make those annoying browser warning messages go away ๐Ÿ˜‰ And the best: It is all for free, thanks to Startcom! It is also important to have a real SSL-certificate for use with most smartphones.

Please note that you have to respect Startcom’s certificate policy, which might require a non-free class 2 certificate for your commercial use. See the policy for details. Thanks to Thomas for this remark. With “commercial” certificate, I here mean a “real” CA-signed certificate, which Zimbra calls “commercial”, no matter whether used in a commercial context or not.

First, create a Certificate Request (CSR) in Zimbra. To do so, ssh into your server, login as root and issue a command like this:

/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -digest sha256
-subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite/CN=host.example.com"
-subjectAltNames host.example.com

This is one line. What is important here, is that you use the domain name for which the certificate should be issued at the end (instead of host.example.com). Startcom will ignore everything else anyway, so you can leave country, state, organization and so on as is or change it, doesn’t matter. What is also important is that you define a keysize of 2048 as Startcom won’t accept 1024 bit keys anymore. This parameter is not documented in the wiki yet, and seems to be available for newer versions of Zimbra only. With a little trick, it should also be also possible for older versions of zimbra such as 5 (but better update to the new version anyway…).

Next thing you do is register at startcom if you do not have an account yet. You’ll get an S/MIME certificate by Startcom for free which you need to login to their control panel. Your browser will generate the secret certificate and store it in its internal storage. I’d recommend you to backup this certificate – you will not be able to login into your startcom account if you loose it.

Then at startcom, you use the validation wizard to validate your domain. This will send a mail to postmaster/hostmaster/webmaster@host.example.com (you can choose which one) with host.example.com being your domain. So you need access to one of these mailboxes to prove that you own the domain.

Then use the certificate wizard at Startcom to create a new certificate. Skip the certificate creation step! Instead, past the CSR created by Zimbra ( /opt/zimbra/ssl/zimbra/commercial/commercial.csr ) into the webform. (Better always create private certificates yourself, never use certificate generators by somebody else, not even the CA.)

Once the certificate is created by Startcom (usually takes some minutes), install it as described in the zimbra wiki:

  1. Store the new (public) certificate you get from Startcom somewhere (e.g. /root/commercial.crt )
  2. Download the root CA certificate
    wget -O /root/ca.pem https://www.startssl.com/certs/ca.pem
  3. Download the intermediary certificate from startcom
    # If your certificate is class 1:
    wget -O /root/ca_intermediary.crt https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # If your certificate is class 2:
    wget -O /root/ca_intermediary.crt https://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
  4. Combine them:
    cat /root/ca_intermediary.crt /root/ca.crt > /root/ca_chain.crt
  5. Verify your certificate:
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/commercial.crt /root/ca_chain.crt
  6. Deploy your certificate:
    /opt/zimbra/bin/zmcertmgr deploycrt comm /root/commercial.crt /root/ca_chain.crt
  7. Check:
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  8. Restart Zimbra
    su โ€“ zimbra
    zmcontrol stop
    zmcontrol start

I hope this post was useful so some of you. If you have problems with one of the steps, just ask in the comments.

Read here how to redirect http to https to enforce the use of https.

Recommendation

Try my Open Source PHP visitor analytics script CrazyStat.

6. June 2012

The most complete Rainbow Table Lookup Site: Google!

Filed under: Security — Tags: , , , , , — Christopher Kramer @ 16:16

About three years ago, I wanted to login into an installation of CrazyStat which I had installed back in 2004 in CrazyStat’s early days. Problem was, I had forgotten the password. Of course I could simply change it, but I was curious what the password was and if I would be able to find out. The old version of CrazyStat installed on that server saved the password as an MD5 hash, but without any salt (new versions save salted passwords). So the challenge was to decrypt an MD5 hash which had not been salted before hashing.

I looked the hash up in several rainbow tables I found on the web, but did not find any match. Of course, I had not used a simple password, so rainbow tables including dictionaries and brute-force up to several characters were useless.

So I thought, well, let’s brute-force it myself. So I wrote a simple brute-force algorithm and let it run on the Hash. I included characters, German special characters (รถรครผรŸร–ร„รœ), numbers and several other special characters I though I might have used in the password. So this resulted in a huge character set (>80 characters) and a very slow brute-force. I ran it on my home server for several days, but did not succeed. I think I was brute-forcing passwords of 9 characters when I stopped.

I just gave up at that time, because it was not that important and just an experiment.

Lately, I read that Google is a very good password cracker. Thinking about this, it is obvious: Google indexes the whole web, and there are several MD5 rainbow tables on there, which Google indexes as well. So just google for a hash, and if it is in one of the rainbow tables indexed by Google, you will find it. Also some pages use MD5 for page-IDs which will be indexed by google as well. So I enter the hash I had tried to decrypt three years ago, and it just gave me the password I had searched for straight away! Far more efficient than brute-force or downloading rainbow tables ๐Ÿ˜‰ By the way, the password I searched for had more than 9 characters and is not included in any normal dictionary, although maybe in some password list (but not frequently).

I tried several other hashes to see how good Google is. Of course all easy ones are included. But some other more challenging ones were included as well. For example, it knows the hash of “crazystat” (“CrazyStat” is not in there so far). It knows the hash of my hometown (I will just give you the hash here, find out yourself: 97b559a3d65b95dcda14d70e49ef87fc).

So compared to most rainbow table lookups I have seen so far, Google performs very well. Of course not everything is in there, and with a good salt string, it should be useless.

One test I tried were some random characters, but not so many. I was surprised that Google does not know it. I then used a decrypt/encrypt site that stores every hash it calculates when you encrypt something in a rainbow table. Afterwards, this site was able to decrypt it of course. Now I am waiting how long it takes for Google to index that hash as well.

Now let’s see whether you are faster: Here is the hash:

f533abf87579c6ccc8de45c4d81e9e39

A simple brute-force or a good rainbow table should do to decrypt that. Please leave aย  comment if you decrypted it. There is at least one md5-decrypt site now that knows this hash, so you might also be able to find this one.

Have fun!

And of course, never be the bad guy who uses stuff like this meaning ill ๐Ÿ˜‰

 

Update 2012-09-22: It seems so many people google the hash I posted here that Google suggests it automatically when searching for f533:

But MD5this did not crack it yet and it seems Google is not able to index the md5lookup site I fed with the hash. Well, probably the hash is a bit more difficult to crack than I thought. But somebody must be able to decrypt that. Come on!

« Newer Posts