W 11: Configuring a Local HTTPS Server (10 pts extra)

What You Need

A local virtual machine running Debiam. I used Debian 12.

Purpose

To make a local server with a self-signed HTTPS certificate.

Installing Apache

On your Linux machine, execute these commands:


sudo apt update
sudo apt install apache2 -y
sudo ss -nltp

Apache is listening on port 80, as shown below.

Finding your Server's IP Address

On your Linux machine, execute this command:


ip a

Find the IP address that can reach your host machine (not the localhost address), highlighted in the image below:

Testing your Apache Server

In a Web browser, go to this address, replacing the IP address with the IP address of your server:

http://34.69.247.115

You should see the default Apache page, as shown below.

Local DNS Configuration

Find your host machine's hosts file and edit it. The process is different for different operating systems.

On Windows, open Notepad as Administrator and open this file:

C:\Windows\System32\drivers\etc\hosts

On MacOS, in a Terminal window, execute this command:


sudo nano /etc/hosts

Choose a domain name to use for this project, such as:

yourname-https.net

You don't have to actually purchase that domain name. It will only work from your host system.

Add a DNS record to your hosts file connecting your local server's IP address to that name, as shown below.

Save your changes to the Hosts file.

In a Web browser, go to this URL, replacing the domain name with the domain name you chose:

http://yourname-https.net

You should see the default Apache page, as shown below.

Generating a Self-Signed Certificate

On your Linux machine, execute these two commands (the second one is three lines long):


sudo mkdir -p /etc/ssl/certs
sudo mkdir -p /etc/ssl/private
sudo make-ssl-cert generate-default-snakeoil --force-overwrite

Installing the Certificate into Apache

On your Linux machine, execute this command:


sudo a2enmod ssl
sudo nano /etc/apache2/sites-available/yourname-https.net.conf

Enter this data, adjusting the domain name to match your chosen domain name:


NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>

Save the file with Ctrl+X, Y, Enter.

Execute these commands to enable the new site and restart Apache, adjusting the domain name to match your chosen domain name:


sudo a2ensite yourname-https.net
sudo service apache2 restart

Testing your HTTPS Server

In a Web browser, go to this address, replacing the domain name with the domain name you chose:

https://yourname-https.net

The page shows a warning message, as shown below. It may look somewhat different, depending on your browser.

Click through the warning to view the page.

Sending Pings

On your host system, in a Terminal, execute this command, replacing the domain name with the domain name you chose:


ping yourname-https.net

Using Wireshark to Examine the HTTPS Handshake

On your host system, launch Wireshark. If you don't have wireshark, get it from https://www.wireshark.org/

Start sniffing on the interface that carries traffic from your host system to your virtual machine.

If you are using VMware in NAT mode, it might be named vmnet8 or vmnet 3.

You'll know it's the right interface when you see the pings, as shown below.

In Wireshark, at the top left, enter this display filter:

tcp.port==443

Press Enter to activate the filter.

In your web browser, refresh this page:

https://yourname-https.net

When the page loads, stop Wireshark capturing.

Flag W 11.1: Revocation status (10 pts)
Find the Client Hello packet.
Expand the TLS section, as shown below, to see the Cipher Suites.
The flag is covered by a green rectangle in the image below.
Hint: If you don't see the flag, use the Chrome browser

Posted 3-2-25