Vemos la version de java:
C:\Program Files\Java\jre7\bin>java -version
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)
Vamos a la ruta donde esta instalado java:
cd C:\Program Files\Java\jre7\bin
Ejemplo del comando:
keytool -genkey -alias your_alaias_name -keyalg RSA -keystore your_keystore_filename
Comando ejecutado para generar el CSR:
C:\Program Files\Java\jre7\bin> keytool -keysize 2048 -genkey -alias
Mi_Nombre -keyalg RSA -keystore
Mi_Nombre.keystore
Enter keystore password:
ingresar password
Re-enter new password:
ingresar password
What is your first and last name?
[Unknown]:
mi_dominio.com.ar
What is the name of your organizational unit?
[Unknown]:
Nombre de la Empresa
What is the name of your organization?
[Unknown]:
Empresa que Certifica
What is the name of your City or Locality?
[Unknown]:
Buenos Aires
What is the name of your State or Province?
[Unknown]:
Argentina
What is the two-letter country code for this unit?
[Unknown]:
AR
Is CN=
http://mi_dominio.com.ar, OU="
Nombre de la Empresa", O="
Empresa que Certifica", L=
Buenos Aires, ST=
Argentina, C=
AR correct?
[no]:
yes
Enter key password for <
Mi_Nombre>
(RETURN if same as keystore password):
ingresar password
Ejemplo:
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
Comando ejecutado:
keytool -certreq -keyalg RSA -alias
Mi_Nombre -file
certreq.csr -keystore
Mi_Nombre
C:\Program Files\Java\jre7\bin> keytool -certreq -keyalg RSA -alias
Mi_Nombre -file
certreq.csr -keystore
Mi_Nombre.keystore
Enter keystore password:
ingresar password
Y se genera el certeq.csr y lo guarda en la siguiente ruta:
C:\Program Files\Java\jre7\bin\certreq.csr
Se envía a la entidad que certifica
Al recibir los archivos de la entidad certificante, importamos en orden los certificados:
C:\Program Files\Java\jre7\bin> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore
Mi_Nombre.keystore
Enter keystore password:
Ingresamos el password del keystore
Certificate already exists in system-wide CA keysrore under alias
Do you still want to add it to your own keystore? [no]:
yes
Certificate was added to keystore
C:\Program Files\Java\jre7\bin> keytool -import -trustcacerts -alias UserTrustRSAAddTrustCA -file UserTrustRSAAddTrustCA.crt -keystore
Mi_Nombre.keystore
Enter keystore password:
Ingresamos el password del keystore
Certificate was added to keystore
C:\Program Files\Java\jre7\bin> keytool -import -trustcacerts -alias TrustedSecureCertificateAuthority5 -file TrustedSecureCertificateAuthority5.crt -keystore
Mi_Nombre.keystore
Enter keystore password: Ingresamos el password del keystore
Certificate was added to keystore
C:\Program Files\Java\jre7\bin> keytool -import -trustcacerts -alias
mi_dominio.com.ar -file
mi_dominio.com.ar.crt -keystore
Mi_Nombre.keystore
Enter keystore password:
Ingresamos el password del keystore
Certificate was added to keystore
Editar el server.xml de la ruta:
Hacer una copia antes del archivo:
C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml
Luego editarlo, comentar con comentario de html el siguiente texto:
Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"
Descomentar:
Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
Y cambiarlo por:
Service name="Catalina"
Connector port="443"
SSLEnabled="true"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="
conf/cert/Mi_Nombre.keystore"
poner la ruta del keystore que creamos keystorePass="
cambiarPorElPasswordDelKeystore"/>
cambiar por el password que le pusimos al keystore que creamos
Ingresar a servicios con services.msc y reiniciar el servicio:
Apache Tomcat 7.0 Tomcat7
O desde el cmd con el siguiente comando lo paramos:
C:\Program Files\Java\jre7\bin>net stop "Apache Tomcat 7.0 Tomcat7"
The Apache Tomcat 7.0 Tomcat7 service is stopping.
The Apache Tomcat 7.0 Tomcat7 service was stopped successfully.
Y luego lo iniciamos con:
C:\Program Files\Java\jre7\bin>net start|find "Apache"
C:\Program Files\Java\jre7\bin>net start "Apache Tomcat 7.0 Tomcat7"
The Apache Tomcat 7.0 Tomcat7 service is starting.
The Apache Tomcat 7.0 Tomcat7 service was started successfully.
Ingresamos al sitio:
https://mi-sitio.com => con el https
Lo escaneamos con SSL LABS:
https://www.ssllabs.com/ssltest/analyze.html?d=mi_dominio.com.ar
Para solucionar el tema de ataque Logjam hay que instalar JCE:
Más info del ataque:
http://www.redeszone.net/2015/05/21/logjam-nuevo-ataque-contra-las-conexiones-tls-por-usar-claves-diffie-hellman-de-512-bits/
Descargar de JCE (jce_policy-8.zip) de:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Colocar el contenido en la ruta de java backupeando previamente los archivos anteriores:
C:\Program Files\Java\jre7\lib\security
Al escanearlo con nmap aparecía lo siguiente:
root@linus:~# nmap --script ssl-enum-ciphers -p 443 192.168.0.1
Starting Nmap 6.00 ( http://nmap.org ) at 2015-11-11 18:23 ART
Nmap scan report for 192.168.0.1
Host is up (0.015s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
|_ Least strength = strong
Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds
Se modificó server.xml y se puso lo siguiente en el ciphers del connector:
Connector
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA"
port="443"
SSLEnabled="true"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="conf/cert/Mi_.keystore"
keystorePass="E3uCpRD-p2r233uu."
Se volvió a escanear y ahora si enumeró correctamente los tipos de cifrado:
root@linus:~# nmap --script ssl-enum-ciphers -p 443 192.168.0.1
Starting Nmap 6.00 ( http://nmap.org ) at 2015-11-11 18:29 ART
Nmap scan report for 10.148.20.7
Host is up (0.0016s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0
| Ciphers (3)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
| TLSv1.1
| Ciphers (3)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
| TLSv1.2
| Ciphers (3)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
|_ Least strength = unknown strength
Nmap done: 1 IP address (1 host up) scanned in 3.19 seconds
root@linux:~#
Se volvió a escanear desde el sitio SSL LABS y se ahora:
https://www.ssllabs.com/ssltest/analyze.html?d=mi_dominio.com.ar
Y todo en verde !!
FUENTES:
https://ar.godaddy.com/help/generar-csr-e-instalar-un-certificado-ssl-en-tomcat-4x5x6x7x-5239
https://ashrafhossain.wordpress.com/2010/10/24/generate-a-certificate-signing-request-csr-for-tomcat-with-keytool/
https://www.mulesoft.com/tcat/tomcat-ssl
https://csi2altair.wikispaces.com/Apache+Tomcat+seguro
http://suhothayan.blogspot.com.ar/2012/05/how-to-install-java-cryptography.html
https://weakdh.org/sysadmin.html
http://www.oracle.com/technetwork/java/javase/downloads/index.html
https://cwiki.apache.org/confluence/display/STONEHENGE/Installing+Java+Cryptography+Extension+(JCE)+Unlimited+Strength+Jurisdiction+Policy+Files+6