OpenSSL 1.1.x & TLS 1.3

Looking under the hood, it looks like OpenSSL 1.1.1a is the default install on FreeBSD 12.0-RELEASE base. We use Squid 4.4 & Apache 2.4.37 both of which had to be recompiled.

Just a few notes if you share a similar configuration:

  • build /usr/ports/security/openssl111/ or use pkg
## modify /etc/make.conf to reflect

DEFAULT_VERSIONS+=ssl=openssl111

## modify httpd.conf to reflect something similar to these:

SSLProtocol -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3 
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA

Once all modifications are finalized, restart Apache and fire up https://www.ssllabs.com/ssltest/ to verify.

To verify with Squid, use

$ squid -v
Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1a 20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

Please note the above configuration purposely disables SSLv3 & TLSv1.0-1.1 – only TLSv1.2 and 1.3 are enabled with corresponding ciphersuites. All other connections will fail.

Bootable USB Drives with Rufus

written by Pete Batard, this neat tool helps you create bootable USB drives of various types of operating systems. It supports .img and .iso source files just to name a few.

The software is free & open-source and can be downloaded from https://rufus.ie/

At Danskoya.com, we utilize Rufus to create & maintain bootdisks for Windows 10 and FreeBSD. It has proven to be very valuable for all our hardware/software deployments.

WebRTC in Firefox & Chrome

If you don’t need WebRTC, you can disable it:

In Firefox, type about:config in the URL bar then search for media.peerconnection.enabled, highlight it then right-click and select Toggle to set the Value to false

In Chrome, install the WebRTC Leak Prevent plugin by Aaron Horler and set the IP-handling policy to Disable non-proxied UDP (force proxy)

To test both browsers for IP-address leaks, use https://whoer.net