Questions[ssl](ubuntu)

I'd like to ask if there's a way to lower SSL security level to 1 on Ubuntu 20.04, since I'm receiving:

141A318A:SSL routines:tls_process_ske_dhe:dh key too small

when trying to curl the website.

Curl works if I add --ciphers 'DEFAULT:!DH' parameter, however, I am not able to fetch a website via my client app written in C#. The website also works when opened via browser.

According to bugs.launchpad.net the Ubuntu team set higher SSL security level on purpose.

In several places I came across an information that changing CipherString = DEFAULT@SECLEVEL=2 to 1 in openssl.cnf helps, but my config file did not have such a line at all and adding it had no effect.

I do not control the website server, so I am not able to change its security configuration.

Any ideas? Would installing some older openSSL package help?

Thanks in advance

EDIT: As for changes to my config file, I've added the following at the end:

system_default = system_default_sect 

[system_default_sect] 
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1 

Output from openssl version -a:

OpenSSL 1.1.1f 31 Mar 2020 built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,
--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. 
-fstack-protector-strong -Wformat -Werror=format-security
-DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM
-DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
-Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR:
"/usr/lib/x86_64-linux-gnu/engines-1.1" Seeding source: os-specific

This article expose how around 18% of HTTPS connections are being detected as intercepted by MITM proxies. As the great related paper states:

To circumvent this validation, local software injects a self-signed CA certificate into the client browser’s root store at install time.
[...]
Contrary to widespread belief, public key pinning [19]— an HTTPS feature that allows websites to restrict connections to a specific key— does not prevent this interception. Chrome, Firefox, and Safari only enforce pinned keys when a certificate chain terminates in an authority shipped with the browser or operating system. The extra validation is skipped when the chain terminates in a locally installed root (i.e., a CA certificate installed by an administrator) [34].

Is pretty common on companies, desktop antivirus and malware/adware to add a root CA. Sometimes even with honest reasons. But to make the situation more clear: SSL web browsing is exactly as strong as the weakest CA (this includes DNS, if DNS-over-HTTPS).

I want to check if my HTTPS traffic is intercepted at least in three aspects (better if just with CLI):

• Google Chrome/Chromium
• Firefox (Red Hat equivalent?)
• Ubuntu official repos/Snap (See ca-certificates & ca-cacert. Red Hat equivalent?)

So the real questions are:

• How to list unofficially installed CA certificates (doesn't come with Ubuntu/Firefox/Chrome) to avoid MITM attacks/HTTPS interception?
• How to reset trusted certificates stores to its default?

Some research and related questions

• checkmyhttps seems old and not trustworthy

• Chrome: chrome://settings/certificates.
  This is a subset of what return some of these commands?

  # System wide (I)
  awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
  
  # System wide (II) (`p11-kit` package)
  trust list
  

• Firefox

  certutil -L -d ~/.mozilla/firefox/*.default*/
  

• I already sudo update-ca-certificates -v -f. This just updates without removing any sneaky already installed certificate?

Reference

• Chromium - Root Certificate Policy
• Firefox: How to audit & reset the list of trusted servers/CAs
• How can I protect myself against software installing insecure root certificates?
• Who your browser trusts, and how to control it
• All root certificates that Firefox trusts for SSL/TLS (from)

Running sudo apt-get update on my AWS EC2 Ubuntu 18.04.01 LTS instance fails:

Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown

when trying to access the deb.nodesource.com/node_10.x bionic Release

Here is the result after running sudo apt-get update:

Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Ign:3 https://deb.nodesource.com/node_10.x bionic InRelease
Get:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Err:5 https://deb.nodesource.com/node_10.x bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]
Get:6 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Reading package lists... Done
W: https://deb.nodesource.com/node_10.x/dists/bionic/InRelease: No system certificates available. Try installing ca-certificates.
W: https://deb.nodesource.com/node_10.x/dists/bionic/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://deb.nodesource.com/node_10.x bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

It seems like my current installation of Node.js is causing the problem.

I have tried installing and updating ca-certificates in etc/ssl/certs, however, this did not help. I'm not exactly sure how to proceed from here to resolve this issue.

I'm not looking for a quick workaround that would compromise the security of the server.

Right now I installed ubuntu 12.04.3 server which I want to access via ssh. For that reason I created a private key which I moved to

/etc/ssl/private/

I'm just wondering why there already is private key ssl-cert-snakeoil.key in there. Where is this private key used and can I delete it?

I have an little app I wrote in Python and it used to work... until yesterday, when it suddenly started giving me an error in a HTTPS connection. I don't remember if there was an update, but both Python 2.7.3rc2 and Python 3.2 are failing just the same.

I googled it and found out that this happens when people are behind a proxy, but I'm not (and nothing have changed in my network since the last time it worked). My syster's computer running windows and Python 2.7.2 has no problems (in the same network).

>>> url = 'https://www.mediafire.com/api/user/get_session_token.php'
>>> response = urllib2.urlopen(url).read()
  File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 400, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 418, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 378, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1215, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1177, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 8] _ssl.c:504: EOF occurred in violation of protocol>

What's wrong? Any help is appreciated.

PS.: Older python versions don't work either, not in my system and not in a live session from USB, but DO work in a Ubuntu 11.10 live session.