From 398e44f957e53d41ff132cd29e9394e5a03082be Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Fri, 31 Oct 2014 14:30:55 -0400 Subject: [PATCH] add SSL WebUI change --- add_ssl.md | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 add_ssl.md diff --git a/add_ssl.md b/add_ssl.md new file mode 100644 index 0000000..d40f8cf --- /dev/null +++ b/add_ssl.md @@ -0,0 +1,153 @@ +# Change Pineapple Web UI to SSL + +## Why + +Since the Pineapples are prone to attacks, individuals love to sniff the clear-text credentials as you log into the HTTP interface. This quick guide should walk-through users' on how to protect themselves via SSL... + +## Install Packages + +``` +opkg update +opkg --dest usb install libopenssl +opkg --dest usb install openssl-util +``` + +## Create config files + +``` +mkdir -p /etc/ssl/certs +nano /etc/ssl/openssl.cnf +``` + +example contents openssl.cnf: + +``` +dir = . + +[ ca ] +default_ca = CA_default + +[ CA_default ] +serial = $dir/serial +database = $dir/certindex.txt +new_certs_dir = $dir/certs +certificate = $dir/cacert.pem +private_key = $dir/private/cakey.pem +default_days = 365 +default_md = md5 +preserve = no +email_in_dn = no +nameopt = default_ca +certopt = default_ca +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 2048 # Size of keys +default_keyfile = key.pem # name of generated keys +default_md = md5 # message digest algorithm +string_mask = nombstr # permitted characters +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[ req_distinguished_name ] +# Variable name Prompt string +#------------------------- ---------------------------------- +0.organizationName = Organization Name (company) +organizationalUnitName = Organizational Unit Name (department, division) +emailAddress = Email Address +emailAddress_max = 40 +localityName = Locality Name (city, district) +stateOrProvinceName = State or Province Name (full name) +countryName = Country Name (2 letter code) +countryName_min = 2 +countryName_max = 2 +commonName = Common Name (hostname, IP, or your name) +commonName_max = 64 + +# Default values for the above, for consistency and less typing. +# Variable name Value +#------------------------ ------------------------------ +0.organizationName_default = Hak5 +localityName_default = +stateOrProvinceName_default = +countryName_default = UK +commonName = pineapple + +[ v3_ca ] +basicConstraints = CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + +[ v3_req ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +``` + +## Prepare Certificates + +``` +cd /etc/ssl/certs +``` + +### Make Private Keys + +``` +openssl genrsa -aes128 -out server.key 2048 +openssl genrsa -aes128 -out ca.key 2048 +``` + +### Remove Password From Private Key + +``` +openssl rsa -in server.key -out server.key +``` + +### Generate CA Certificate + +``` +openssl req -new -x509 -days 3650 -key ca.key -out ca.pem +``` + +### Generate Certificate Signing Request + +``` +openssl req -new -key server.key -out server.csr +``` + +### Self-Signed Certificate + +``` +openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem +``` + +Note: Don't forget to install the self-made CA certificate (ca.pem) into your browsers certificate store. + +## Nginx Configuration + +Change `/etc/nginx/nginx.conf` to: + +``` + server { + listen 1471 ssl; # Port, make sure it is not in conflict with another http daemon. + server_name pineapple; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html + ssl_certificate /etc/ssl/certs/server.pem; + ssl_certificate_key /etc/ssl/certs/server.key; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; +``` + +Note: don't forget to change the certificate and certificate key to as you've named them. + +Then restart nginx + +``` +/etc/init.d/nginx restart +``` \ No newline at end of file