So the F5 is a tricky beast often refereed to as the swiss army knife of network appliances. The appliances primary role in many networks is to load balance and is a beast negotiating SSL. That being said its not always easy to determine how to configure the clients SSL profiles to be secure and still service the public. F5s documentation is helpful but designed to be vague because cipher suites and browser support is always changing. https://support.f5.com/csp/article/K8802
SSL Labs has become the de-facto to use tool that helps the public understand the nuances of SSL by giving an easy to understand letter grade, https://www.ssllabs.com . The website runs a multitude of tests from insuring your certificate is chained correctly to end device OS and browser simulations, to commonly found vulnerability testing. The down fall of having such a sophisticated tool issuing a simple letter score, is not every environment can be configured for an A or B plus.
So I wanted to through an F5 Client SSL Profile out there that at the time of testing got a solid A- and still supported a ton of OS and browser combinations. You will mostly want to keep the defaults but I will highlight what changes you will want to make to get an A. You will need to select Advanced to see some of these settings.
- The first step is to add your public certificate and the intermediate certificates if applicable as well as the key.
- this is what create the certificates chain
- Next you will want to customize the Ciphers that will be used by the F5 to negotiate SSL with the client. This is where 99% of the magic will happen.
- DEFAULT:HIGH: (are pre canned cipher settings created by F5, the additional settings are additional customization.
- !RSA: Do not use RSA ciphers
- !SSLV3: Do not use SSL version 3
- !RC4: Do not use RC4 ciphers
- !EXP: Do not use Cipher length of 40 or 56 bits export strength
- !DES: Do not use Des or triple Des ciphers
- !TLSv1_1: Do not use TLS version 1.1
- !TLSv1: Do not use TlS version 1.0
- !ADH: Do not use ADH ciphers
- !EXPORT: Do not use EXPORT grade (weak) ciphers
- !SHA: Do not use Message Authentication Code SHA 128
- The complete string looks like this:
- DEFAULT:HIGH:!RSA:!SSLV3:!RC4:!EXP:!DES:!TLSv1_1:!TLSv1:!ADH:!EXPORT:!SHA
- Lastly you will want to set up strict SSL renegotiation:
- Check the Renegotiation box
- Next set Secure Renegotiation to "Require Strict"
From here save your SSL client profile, apply it to a public accessible virtual server, and run SSL labs against your server. Its kind of fun testing and playing around to see what modifying the cipher settings.
Enjoy.
- sudo nano /etc/sysctl.conf
- net.ipv4.ip_forward = 1
- sudo sysctl -p
The WireGuard configuration is as simple as setting up SSH. A connection is established by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. WireGuard sets up standard network interfaces (such as wg0 and wg1), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as ifconfig and ip. I was going to post a guide but there are so many good guides already on the internet just google it. Also the official documentation is really good and has some install guides as well.
Enjoy, be safe, support and contribute to WireGuard.
https://www.twitch.tv/defconorg
https://www.twitch.tv/defcon_music
https://www.twitch.tv/defcon_chill
https://www.twitch.tv/biohackingvillage
https://www.twitch.tv/blueteamvillage
https://www.twitch.tv/bypassvillage
https://www.twitch.tv/cryptovillage
https://www.twitch.tv/hackthesea
https://www.twitch.tv/passwordvillage
https://www.twitch.tv/roguesvillage
https://www.twitch.tv/dcpolicy
https://www.twitch.tv/hamradiovillage
https://www.twitch.tv/ics_village
https://www.twitch.tv/iotvillage
https://www.twitch.tv/monerovillage
https://www.twitch.tv/paymentvillage
https://www.twitch.tv/redteamvillage
- Identify the talks I want to watch
- Create a youtube playlist listing the talks in order of the live Q&A's (then watch them)
- Created calendar events of the live Q&A with the speaker on the Defcon Twitch channel (https://www.twitch.tv/defconorg)
- between live Q&A I want to watch I stream the Defcon Entertainment channel on twitch (https://www.twitch.tv/defcon_music)
- Hang out on the Defcon Discord server in #linecon, #dcg, #pool-1, and the #pool-3 channels we will see which ones i spend the most time in. Currently linecon is holding most of my attention.
Please also consider "The One!", a unofficial consolidated schedule of all the Villages, Talks, Contests, and various Events occurring during DEFCON 28. One page, one look, all things happening!
Lots of things are still missing, As various schedules get released and processed they will appear. Keep coming back to get the latest.
Village info derived from the following pages
DEF CON 28 Villages page
DEF CON 28 Villages Forum page
Other cons during #SummerHackerCamp
General / previous years
JK-47 - BSidesLV & DEFCON Conference Tips
Just another DEF CON guide
HACKER SUMMER CAMP 2018 GUIDE
On Attending DefCon
|
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:State
Locality Name (eg, city) []:City
Organization Name (eg, company) []:Anything
Organizational Unit Name (eg, section) []:Anything
Common Name (eg, fully qualified host name) []:Username
Email Address []:youremail
|
<VirtualHost *:443> ServerName secure.example.com DocumentRoot "/var/www/html" ServerAdmin [email protected] SSLEngine on SSLCertificateFile /home/sempla1/ssl/server-cert.pem SSLCertificateKeyFile /home/sempla1/ssl/private/server-key.pem SSLVerifyClient require SSLVerifyDepth 10 SSLCACertificateFile /home/sempla1/ssl/client-certificate.pem </VirtualHost> |





