Using TLS 1.1, 1.2 in .Net 4.0 Application

Posted on Thursday, August 3, 2017 by Nicki de Wet

One of our partners stopped support for SSL3.0 and TLS1.0 on a service that we connect to with a .Net 4.0 application.

Using WireShark we determined that the application was attempting connections using SSL3.0 and TLS1.0 only. Digging into this we found a link mentioning that a registry value needs to be configured for .Net4.0 to be able to use TLS1.0 and above.

Once we configured the registry value and restarted the application, it was able to connect to the remote service.


How to generate a GUID in XSLT transformations

Posted on Wednesday, May 10, 2017 by Nicki de Wet

A recent task involved migrating tens of jobs from Control M to VisualCron. I 'm never in the mood for manual repetitive tasks, so the approach was taken to do it with XSLT, since both Control M and VisualCron support XML config schemas.

VisualCron expects various Ids to be GUIDs, and XSL has no built-in functionality to generate GUIDs, so a plan had to be made. I queried Google and found that one can write extension objects in C# and use them during the translation.

The code for to generate a GUID is very simple:

    public class TransformUtils
    {
        public string GenerateGuid()
        {
            return Guid.NewGuid().ToString();
        }
    }

This is then plugged into the transformation code like this:
            string xmlPath = txtXMLSource.Text;
            string xslPath = txtXSLSource.Text;
            StringBuilder output = new StringBuilder();

            
            XsltArgumentList arguments = new XsltArgumentList();
            arguments.AddExtensionObject("EPS:TransformUtils", new TransformUtils());
            
            using (StringWriter writer = new StringWriter(output))
            {
                XslCompiledTransform transform = new XslCompiledTransform();
                transform.Load(xslPath);
                transform.Transform(xmlPath, arguments, writer);
            }
Inside the xslt stylesheet the extension function can now be called:
<xsl:value-of select="TransformUtils:GenerateGuid()" />

I found a good sample and guide here

DNS Unlocker ads #2

Posted on Thursday, September 17, 2015 by Nicki de Wet

In my quest to find the cause(s) for these DNS Unlocker ads, I found Steve Gibson's DNS Nameserver Spoofability Test to test my DNS.

This can identify any DNS issues that could cause these DNS Unlocker ads to be injected into sites you visit.

DNS Unlocker ads

Posted on by Nicki de Wet

It seems like DNS Unlocker ads injected into websites you visit is a big issue at the moment. I've seen them on site I visited, some other people I know have also experienced them.

All the resolution links I've seen seems to have the same procedure, and if none of the first couple detection methods work they have a tool to download. Now I've not tried any of those so-called tools, but I have a suspicion that these 'tools' might actually put you in a worse position than what you were in.

How do you get the ads? 
They seem to be injected by a rogue google analytics script. From looking at other sources on the web it looks like DNS poisoning takes place somewhere upstream from my pc, which causes a DNS lookup for www.google-analytics.com to return the address of a rogue server posing as the real thing. This script injects another script from hosts on the dnsqa.me domain, which injects scripts which injects the ads into the page you are viewing.

How do you get rid of it? 
On my machine no actual DNS Unlocker software got installed, and my DNS settings were also not changed. I ran Malware Bytes as well as AdwCleaner to scan for malware, they found a few cookies and cached pages but no actual installed malware that had to be removed. I also did a Reset in Chrome, which clears cache, disables extensions and clears history. After this I still got the ads from time to time. Installing Malware Bytes and activating the 14day Premium trial certainly picks up these rogue scripts and prevents them from being injected. I also installed AdBlock in Chrome and configured it to block all access to *.dnsqa.me and *.google-analytics.com, to prevent the malware from being injected by any of those two avenues.

Other possibilities
If you router still has the default password, it is possible that some application you installed could connect to the router and change the DNS settings. It is also possible that an application can change the DNS settings on your machine itself. Check both these locations to make sure that the DNS settings are configured to use automatic provided values, or if you manually configured DNS servers like OpenDNS, etc that they are still intact. If the DNS on your router was changed, make sure to change the default admin password on your router.

Different Ways to prevent the injection
Install Malware Bytes and active the 14-day Premium trial
Install the AdBlock extension in Chrome
Configure OpenDNS as DNS provider.

Client certificate validation issues - WCF

Posted on Wednesday, August 12, 2015 by Nicki de Wet

We encountered an issue using client certificate authentication with a client certificate issued by a CA in the Trusted Root CA store.

The client certificate chain is valid when opening it on the server, showing the whole chain. When attaching it to a request the request would be rejected with response code 403 - Forbidden. Looking at the System eventlog for SChannel errors showed nothing.

Eventually we switched on WCF tracing, and found the following in the trace:

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
    <TraceIdentifier>http://msdn.microsoft.com/en-ZA/library/System.ServiceModel.Channels.HttpsClientCertificateInvalid.aspx</TraceIdentifier>
    <Description>Client certificate is invalid with native error code 0x2013 (see http://go.microsoft.com/fwlink/?LinkId=187517 for details).</Description>
    <AppDomain>MyApp.exe</AppDomain>
    <Source>System.ServiceModel.Channels.HttpsChannelListener`1[System.ServiceModel.Channels.IReplyChannel]/30640645</Source>
    <ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/HttpRequestTraceRecord">
        <Headers>
            <SOAPAction>"Authorize"</SOAPAction>
            <Connection>Keep-Alive</Connection>
            <Content-Length>1281</Content-Length>
            <Content-Type>text/xml;charset=UTF-8</Content-Type>
            <Accept-Encoding>gzip,deflate</Accept-Encoding>
            <Host>MyAppURL</Host>
            <User-Agent>Apache-HttpClient/4.1.1 (java 1.5)</User-Agent>
        </Headers>
        <Url>https://MyAppURL</Url>
    </ExtendedData>
</TraceRecord>
Searching on Google brought us no closer, eventually I found an old link I've used before under different but related circumstances.http://code-clarity.blogspot.com/2012/06/how-to-troubleshoot-ssltsl-or-x509.html. I enabled CAPI2 logging in the Event Viewer, and saw entries containing the following:

<RevocationInfo>
  <RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
  </RevocationInfo>
 <TrustStatus>
  <ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
  <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
  </TrustStatus>
<CertVerifyRevocation>
  <Certificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <Flags value="0" />
  <AdditionalParameters timeToUse="2015-08-12T07:58:21.234Z" currentTime="2015-08-12T07:58:21.234Z" urlRetrievalTimeout="PT15S" />
  <RevocationStatus index="0" error="80092013" reason="0" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="5" />
  <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
  </CertVerifyRevocation> 

To identify which URLs are not accessible, look for entries like these:
<CertRejectedRevocationInfo>
  <SubjectCertificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <URL scheme="http">http://ocsp.trustwave.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ1mI4Ww4R5LZiQ295pj4OF%2F44yyAQUyk7dWyc1Kdn27sPlU%2B%2BkwBmWHa8CEEssZkb0NHdbZ980oE3VBOY%3D</URL>
  <EarliestOnlineTime>2015-08-12T08:15:03.729Z</EarliestOnlineTime>
  <Action name="CanRetrieveFromNetwork" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="3" />
  </CertRejectedRevocationInfo> 
<CertRejectedRevocationInfo>
  <SubjectCertificate fileRef="C2CBFE64932BBB842F04874445416E34164E3FE5.cer" subjectName="Trustwave Organization Validation SHA256 CA, Level 1" />
  <IssuerCertificate fileRef="8782C6C304353BCFD29692D2593E7D44D934FF11.cer" subjectName="SecureTrust CA" />
  <URL scheme="http">http://crl.trustwave.com/STCA.crl</URL>
  <EarliestOnlineTime>2015-08-12T08:15:04.759Z</EarliestOnlineTime>
  <Action name="CanRetrieveFromNetwork" />
  <EventAuxInfo ProcessName="lsass.exe" />
  <CorrelationAuxInfo TaskId="{612311D8-4441-4C4B-91B1-0A049B93BFD7}" SeqNumber="4" />
  </CertRejectedRevocationInfo> 
Make sure that the URL(s) in the log entries are accessible, this should sort out the issue.

Help! I've imported a certificate using the mmc snap-in and it is not associated with a private key!

Posted on Thursday, June 4, 2015 by Nicki de Wet

Dont' fear, use the following command to fix the associating:

certutil -repairstore my "certificate serialnumber"

After this step refresh the view in mmc, a key should now be displayed as part of the certificate icon

SSL cert generation using OpenSSL

Posted on Thursday, September 18, 2014 by Nicki de Wet

Create CA

Generate private key for CA

openssl genrsa -des3 -out keys/ca.key 1024

 Generate CA cert

openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

 Generate server cert request

Generate private key for server cert

openssl genrsa -out keys/domain.com.key 2048

Generate server certificate request 

openssl req -new -key keys/servercert.key -out requests/certreq.txt

Sign certificate request and create certificate

openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/servercert.cer

Combine private key and certificate in pkcs12 format for importing into Windows

openssl pkcs12 -export -out servercert.p12 -in servercert.cer -inkey servercert.key

Credits:
 http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
http://www.cs.virginia.edu/~gsw2c/GridToolsDir/Documentation/ImportUserCertificate.htm