星期四, 9月 21, 2017
How to find out user id and SID mapping
PsGetSid
https://docs.microsoft.com/zh-tw/sysinternals/downloads/psgetsid
Security Identifier(SID): GetSID of a user,object using Registry, WMIC, PowerShell
https://blogs.msdn.microsoft.com/gaurav/2014/06/03/security-identifiersid-getsid-of-a-userobject-using-registry-wmic-powershell/
wmic useraccount where (name='administrator' and domain='gauravtestMachine') get name,sid
Name SID
administrator S-1-5-21-1976753858-2077894621-3616986626-500
星期二, 9月 19, 2017
MQ client failed to connect qmgr with 2539 error
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.tro.doc/q045390_.htm
2539 (09EB) (RC2539): MQRC_CHANNEL_CONFIG_ERROR
2539 (09EB) (RC2539): MQRC_CHANNEL_CONFIG_ERROR
ExplanationAn MQCONN call was issued from a client to connect to a queue manager but the attempt to establish communication failed. Common causes of this reason code are:(1) The server and client cannot agree on the channel attributes to use.(2) There are errors in one or both of the QM.INI or MQCLIENT.INI configuration files.(3) The server machine does not support the code page used by the client.
注意﹕非常容易忘記(3)也可能造成無法連線, 從error 的文字訊息不易想到
星期二, 9月 05, 2017
How can I test if my server supports a specific SSL protocol?
1. Linux command line tool:
openssl can help you test which SSL protocols your server is configured to use.
openssl
If a protocol is enabled, the openssl s_client command will wait for input (or Control-D).
If the protocol is disabled, openssl will report an exception similiar to the one reproduced below:
21112:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Openssl examples:
openssl s_client -connect ihshostname:443 -ssl2
openssl s_client -connect ihshostname:443 -ssl3
openssl s_client -connect ihshostname:443 -tls1
#openssl s_client -connect www.google.com:443 -ssl3
CONNECTED(00000003)
23569:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293:
#openssl s_client -connect localhost:1414 -cipher ECDHE-RSA-DES-CBC3-SHA
#openssl s_client -connect localhost:1414 -showcerts
#openssl ciphers ==> 列出openssl可用的cipher名稱, 以:分隔
**** perl one liner 可用在此處, 把原本用:分隔不易查看的資訊, 改以每筆一行的方式列出
#openssl ciphers|perl -ne 's/:/\n/g;print'
2. online website check tool
https://www.ssllabs.com/ssltest/
3. standalone test tool (TestSSLServer)
https://www.bolet.org/TestSSLServer/
4. IHS v8 or above version command:
Windows:
httpd -t -D DUMP_SSL_CONFIG
Linux:
apachectl -t -D DUMP_SSL_CONFIG
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#sslprotsupptest
5. use nmap to help to verify which cipherspec is supported by SSL server
nmap --script ssl-enum-ciphers -p port_number ip_address
# nmap --script ssl-enum-ciphers -p 1477 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-03 10:56 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
1477/tcp open ms-sna-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
SSL handshake concept:
https://support.f5.com/csp/article/K15292
openssl can help you test which SSL protocols your server is configured to use.
openssl
If a protocol is enabled, the openssl s_client command will wait for input (or Control-D).
If the protocol is disabled, openssl will report an exception similiar to the one reproduced below:
21112:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Openssl examples:
openssl s_client -connect ihshostname:443 -ssl2
openssl s_client -connect ihshostname:443 -ssl3
openssl s_client -connect ihshostname:443 -tls1
#openssl s_client -connect www.google.com:443 -ssl3
CONNECTED(00000003)
23569:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293:
#openssl s_client -connect localhost:1414 -cipher ECDHE-RSA-DES-CBC3-SHA
#openssl s_client -connect localhost:1414 -showcerts
#openssl ciphers ==> 列出openssl可用的cipher名稱, 以:分隔
**** perl one liner 可用在此處, 把原本用:分隔不易查看的資訊, 改以每筆一行的方式列出
#openssl ciphers|perl -ne 's/:/\n/g;print'
2. online website check tool
https://www.ssllabs.com/ssltest/
3. standalone test tool (TestSSLServer)
https://www.bolet.org/TestSSLServer/
4. IHS v8 or above version command:
Windows:
httpd -t -D DUMP_SSL_CONFIG
Linux:
apachectl -t -D DUMP_SSL_CONFIG
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#sslprotsupptest
5. use nmap to help to verify which cipherspec is supported by SSL server
nmap --script ssl-enum-ciphers -p port_number ip_address
# nmap --script ssl-enum-ciphers -p 1477 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-03 10:56 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
1477/tcp open ms-sna-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
Ref:
SSL 相關的測試工具
https://www.qa-knowhow.com/?p=3888SSL handshake concept:
https://support.f5.com/csp/article/K15292
標籤:
apachectl,
cipherspec,
command line,
handshake,
httpd,
IHS,
nmap,
one liner,
openssl,
perl,
SSL,
ssllabs,
sslv3,
TestSSLServer,
zenmap
訂閱:
文章 (Atom)