Interview Questions.

Question 1. Why Does Mod Ssl Stop With The Error "failed To Generate Temporary 512 Bit Rsa Private Key" When I Start Apache?

Answer :

Cryptographic software desires a source of unpredictable statistics to paintings effectively. Many open source working systems provide a "randomness tool" that serves this cause (typically named /dev/random). On other structures, programs should seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with suitable statistics earlier than generating keys or performing public key encryption. As of model zero.9.5, the OpenSSL capabilities that want randomness file an mistakes if the PRNG has not been seeded with at least 128 bits of randomness.

To prevent this error, MOD SSL has to offer sufficient entropy to the PRNG to allow it to work efficiently. This may be done through the SSLRANDOMSEED directive. 

Question 2. Is It Possible To Provide Http And Https From The Same Server?

Answer :

Yes. HTTP and HTTPS use different server ports (HTTP binds to port 80, HTTPS to port 443), so there may be no direct warfare between them. You can both run  separate server instances certain to these ports, or use Apache’s stylish digital web hosting facility to create  digital servers, both served through the identical example of Apache - one responding over HTTP to requests on port eighty, and the opposite responding over HTTPS to requests on port 443.

Networking Interview Questions
Question three. Which Port Does Https Use?

Answer :

You can run HTTPS on any port, but the requirements specify port 443, that's in which any HTTPS compliant browser will appearance by using default. You can pressure your browser to look on a one-of-a-kind port by specifying it within the URL.

Question four. Why Do I Get “connection Refused” Messages, When Trying To Access My Newly Installed Apache+mod Ssl Server Via Https?

Answer :

This mistakes can be because of an incorrect configuration. Please make sure that your LISTEN directives in shape your <VIRTUALHOST> directives. If all else fails, please start afresh, the use of the default configuration provided by using MOD SSL.

Networking Tutorial
Question five. Why Are The Ssl Xxx Variables Not Available To My Cgi & Ssi Scripts?

Answer :

Please make sure you have got “SSLOptions +StdEnvVars” enabled for the context of your CGI/SSI requests.

Management Information structures Interview Questions
Question 6. What Are Rsa Private Keys, Csrs And Certificates?

Answer :

An RSA non-public key document is a virtual record that you may use to decrypt messages despatched to you. It has a public component that you distribute (thru your Certificate document) which permits people to encrypt the ones messages to you.

A Certificate Signing Request (CSR) is a digital document which contains your public key and your call. You ship the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by using signing it.

A Certificate includes your RSA public key, your call, the name of the CA, and is digitally signed by way of the CA.

Browsers that understand the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That permits them to send messages which handiest you may decrypt.

Question 7. Is There A Difference On Startup Between A Non-ssl-conscious Apache And An Ssl-conscious Apache?

Answer :

Yes. In fashionable, beginning Apache with MOD SSL built-in is similar to beginning Apache without it. However, when you have a passphrase on your SSL private key record, a startup dialog will pop up which asks you to enter the bypass phrase.

Having to manually input the passphrase when beginning the server may be intricate - as an instance, when beginning the server from the system boot scripts. In this situation, you can comply with the stairs under to remove the passphrase out of your private key. Bear in mind that doing so brings extra security dangers - continue with caution!

Management Information structures Tutorial Internet Security Interview Questions
Question eight. How Can I Change The Pass-phrase On My Private Key File?

Answer :

You surely should examine it with the old skip-word and write it once more, specifying the new skip-phrase.

You can accomplish this with the following instructions:

$ openssl rsa -des3 -in server.Key -out server.Key.New
$ mv server.Key.New server.Key

The first time you’re asked for a PEM pass-phrase, you have to enter the old pass-word. After that, you’ll be asked once more to go into a pass-word - this time, use the brand new pass-phrase. If you're asked to affirm the skip-phrase, you’ll need to go into the brand new bypass-word a 2nd time.

Question 9. How Can I Get Rid Of The Pass-phrase Dialog At Apache Startup Time?

Answer :

The reason this conversation pops up at startup and every re-begin is that the RSA private key internal your server.Key record is saved in encrypted layout for security motives. The bypass-word is wanted to decrypt this record, so it is able to be examine and parsed. Removing the skip-word eliminates a layer of protection out of your server - continue with warning!

1. Remove the encryption from the RSA non-public key (even as retaining a backup reproduction of the unique report):

$ cp server.Key server.Key.Org
$ openssl rsa -in server.Key.Org -out server.Key

2. Make sure the server.Key document is only readable through root:

$ chmod 400 server.Key

Now server.Key contains an unencrypted reproduction of the important thing. If you point your server at this report, it'll now not prompt you for a bypass-word. HOWEVER, if all people receives this key they may be able to impersonate you at the internet. PLEASE make sure that the permissions on this document are such that most effective root or the net server consumer can examine it (preferably get your net server to begin as root however run as any other user, and have the key readable most effective by root).

As an alternative approach you could use the “SSLPassPhraseDialog exec:/direction/to/application” facility. Bear in thoughts that that is neither greater nor much less secure, of path.

Computer Network Security Interview Questions
Question 10. Why Do I Get Lots Of Random Ssl Protocol Errors Under Heavy Server Load?

Answer :

There may be some of reasons for this, but the important one is troubles with the SSL session Cache certain through the SSLSESSIONCACHE directive. The DBM session cache is the maximum in all likelihood supply of the trouble, so using the SHM session cache (or no cache in any respect) may additionally assist.

Internet Security Tutorial
Question 11. Why Does My Webserver Have A Higher Load, Now That It Serves Ssl Encrypted Traffic?

Answer :

SSL uses strong cryptographic encryption, which necessitates a number of quantity crunching. When you request a web site via HTTPS, the entirety (even the images) is encrypted earlier than it's far transferred. So extended HTTPS traffic ends in load increases.

Routing Protcol Interview Questions
Question 12. Why Do Https Connections To My Server Sometimes Take Up To 30 Seconds To Establish A Connection?

Answer :

This is normally caused by a /dev/random device for SSLRANDOMSEED which blocks the read(2) name till sufficient entropy is to be had to service the request. More records is available within the reference guide for the SSLRANDOMSEED directive.

Networking Interview Questions
Question thirteen. What Ssl Ciphers Are Supported By Mod Ssl?

Answer :

Usually, any SSL ciphers supported by means of the version of OpenSSL in use, also are supported by MOD SSL. Which ciphers are available can rely upon the way you constructed OpenSSL.

Typically, at the least the following ciphers are supported: 

RC4 with SHA1
AES with SHA1
Triple-DES with SHA1 
To decide the real list of ciphers available, you need to run the subsequent:

$ openssl ciphers -v

Computer Security Tutorial
Question 14. Why Do I Get “no Shared Cipher” Errors, When Trying To Use Anonymous Diffie-hellman (adh) Ciphers?

Answer :

By default, OpenSSL does no longer allow ADH ciphers, for security reasons. Please make certain you are aware about the capability facet-effects in case you choose to permit those ciphers.

In order to use Anonymous Diffie-Hellman (ADH) ciphers, you have to build OpenSSL with “-DSSL ALLOW ADH”, after which add “ADH” into your SSLCIPHERSUITE.

Question 15. Why Do I Get A ’no Shared Ciphers’ Error When Connecting To My Newly Installed Server?

Answer :

Either you have made a mistake together with your SSLCIPHERSUITE directive (compare it with the pre-configured instance in greater/httpd-ssl.Conf) or you selected to apply DSA/DH algorithms as opposed to RSA when you generated your private key and omitted or unnoticed the warnings. If you have got chosen DSA/DH, then your server cannot speak the usage of RSA-based totally SSL ciphers (at least till you configure an additional RSA-primarily based certificate/key pair). Modern browsers like NS or IE can simplest talk over SSL the use of RSA ciphers. The end result is the "no shared ciphers" error. To repair this, regenerate your server certificate/key pair, using the RSA set of rules.

Simple Mail Transfer Protocol (SMTP) Interview Questions
Question 16. Why Can’t I Use Ssl With Name-primarily based/non-ip-primarily based Virtual Hosts?

Answer :

The reason could be very technical, and a rather "chicken and egg" problem. The SSL protocol layer remains underneath the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod ssl has to negotiate the SSL protocol parameters with the customer. For this, mod ssl has to consult the configuration of the virtual server (for instance it has to search for the cipher suite, the server certificates, and so on.). But with a view to visit the right virtual server Apache has to realize the Host HTTP header discipline. To do this, the HTTP request header must be read. This can't be carried out before the SSL handshake is completed, however the statistics is wanted in order to finish the SSL handshake segment. See the following query for how to stay clear of this problem.

Note that when you have a wildcard SSL certificates, or a certificate that has more than one hostnames on it using subjectAltName fields, you could use SSL on call-primarily based virtual hosts without further workarounds.

Cryptography Tutorial
Question 17. How Do I Get Ssl Compression Working?

Answer :

Although SSL compression negotiation became defined in the specification of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as a negotiable standard compression method.

OpenSSL 0.Nine.8 started to help this through default when compiled with the zlib alternative. If each the client and the server aid compression, it'll be used. However, maximum customers still try to to start with hook up with an SSLv2 Hello.

As SSLv2 did now not consist of an array of preferred compression algorithms in its handshake, compression can not be negotiated with these customers. If the client disables assist for SSLv2, both an SSLv3 or TLS Hello may be despatched, relying on which SSL library is used, and compression may be set up. You can affirm whether or not clients make use of SSL compression by logging the %SSL COMPRESS METHODx variable.

Computer Security Interview Questions
Question 18. When I Use Basic Authentication Over Https The Lock Icon In Netscape Browsers Stays Unlocked When The Dialog Pops Up. Does This Mean The Username/password Is Being Sent Unencrypted?

Answer :

No, the username/password is transmitted encrypted. The icon in Netscape browsers isn't always without a doubt synchronized with the SSL/TLS layer. It handiest toggles to the locked country whilst the first a part of the real webpage statistics is transferred, which can also confuse people. The Basic Authentication facility is a part of the HTTP layer, that's above the SSL/TLS layer in HTTPS. Before any HTTP information verbal exchange takes vicinity in HTTPS, the SSL/TLS layer has already finished its handshake phase, and switched to encrypted conversation. So don’t be stressed by this icon.

Management Information structures Interview Questions
Question 19. How Do I Enable Tls-srp?

Answer :

TLS-SRP (Secure Remote Password key alternate for TLS, specified in RFC 5054) can complement or replace certifi- cates in authenticating an SSL connection. To use TLS-SRP, set the SSLSRPVERIFIERFILE directive to point to an OpenSSL SRP verifier document.

To create the verifier file, use the openssl device:

openssl srp -srpvfile passwd.Srpv -upload username
After developing this report, specify it in the SSL server configuration:
SSLSRPVerifierFile /route/to/passwd.Srpv
To force clients to use non-certificate TLS-SRP cipher suites, use the following directive:
SSLCipherSuite "!DSS:!ARSA:SRP"