Outils pour utilisateurs

Outils du site


Panneau latéral

Tips

Divers

Projets

Ham Radio

Machines

Research

Privé

Études

tips:ssl

SSL Tips

Useful tasks done with SSL and OpenSSL.

Test SSL clients and servers

Apache

Provide intermediary certificates in the chain

Incomplete trust chains might trigger issues in some clients (e.g., mobiles). This happens for example, with Gandi's standard SSL certificates. But http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/sslthis is easily solved.

Gandi's intermediate CA certificate is needed:

$ wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem

And Apache needs to be told to provide it

httpd.conf
  <VirtualHost *:443>
 
        ServerName www.example.net
        [...]
        SSLEngine on
        [...]
        SSLCertificateChainFile /PATH/TO/GandiStandardSSLCA.pem
        SSLVerifyClient None
  </VirtualHost>

Alternatively, the intermediate certificate can be concatenated with the server certificate, which is then served normally:

$ cat $SERVER.crt GandiStandardSSLCA.pem

Disable Insecure Protocols and Ciphers

httpd.conf
# Stop using SSLv2 and SSLv3 (POODLE)
SSLProtocol -SSLv2 -SSLv3
 
# Disable weak Cpihers
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Disable TLS Renegociation (DoS vector; Apache>=2.2)

httpd.conf
SSLInsecureRenegotiation off

OpenSSL

Key and certificate manipulation

The key

$ export SERVER=`hostname -f`
$ openssl genrsa -out /etc/ssl/private/$SERVER.key 4096

The certificate request

Several AltNames for a single certificate

From (there).

In /etc/ssl/openssl-$SERVER.cnf (or the system's, but it's not as tidy):

[req]
...
req_extensions = v3_req

...

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName          = @alt_names

[alt_names]
DNS.1 = IPADDRESS
DNS.2 = SECONDNAME
DNS.3 = THIRDNAME
...

The certificate request is then generated as usual, but the custom configuration file is specified.

$ openssl req -config /etc/ssl/openssl-$SERVER.cnf -new -key /etc/ssl/private/$SERVER.key -out /etc/ssl/$SERVER.csr

The certificate

$ openssl x509 -config /etc/ssl/openssl-$SERVER.cnf -req -days 1000 -in /etc/ssl/$SERVER.csr -signkey /etc/ssl/private/$SERVER.key -out /etc/ssl/$SERVER.crt

Convert a binary certificate to PEM

$ openssl x509 -inform der -in /etc/ssl/$SERVER.crt -out /etc/ssl/$SERVER.pem

Reference: How to generate self-signed SSL certificates

Change a key's passphrase

$ openssl rsa -in /etc/ssl/private/$SERVER.key -out /etc/ssl/private/$SERVER-newpass.key -passout "pass:PASS"

Read the content of a certificate request/certificate/key

$ openssl req|x509|rsa -in /etc/ssl/$SERVER.crt -text

Manually connect to an SSL secured port

$ openssl s_client -connect www.narf.ssji.net:443
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=distant-sun.narf.ssji.net
   i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=distant-sun.narf.ssji.net
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
---
No client certificate CA names sent
---
SSL handshake has read 2983 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C68B84A9F17B7F2FB2B5E043272B41BC37C34AA826D6B6458C321DE103BD95FC
    Session-ID-ctx:
    Master-Key: E9BFE1B8E6E7B26895541B5E87CC76D7E9E5FD620DE9BB5BDA2B2CFC446F17323CE79717466F8EEC828C1FC2C9E8C770
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 37 a3 3f ae ad 81 6d 0d-97 36 10 44 6f 58 ec 49   7.?...m..6.DoX.I
    0010 - d0 74 e0 c6 d5 e6 76 a5-44 a7 1b b6 55 51 f5 65   .t....v.D...UQ.e
    0020 - 75 b0 f1 57 29 01 80 24-a1 bd 67 bf b6 9c b8 50   u..W)..$..g....P
    0030 - 67 f4 87 31 25 d2 0e ac-53 ab 1f 39 97 65 3d 38   g..1%...S..9.e=8
    0040 - a8 87 85 5b f3 7e ec a9-9d bc 01 1b fd e7 dc 0b   ...[.~..........
    0050 - 4b ac 1e ea f9 8c 2f 6c-83 33 c3 45 ce 95 b2 7e   K...../l.3.E...~
    0060 - 9c 51 04 f0 14 9e 0d 03-fb f5 a8 ed 6d b1 90 f3   .Q..........m...
    0070 - 08 3f 47 3b a9 91 f9 d8-99 dc 73 1b a9 86 f6 b0   .?G;......s.....
    0080 - 13 38 30 ae f1 e3 b8 34-7c c2 64 3c 4c ea 8a 10   .80....4|.d<L...
    0090 - 6b e1 59 52 d8 89 f3 9f-6b 17 c7 6c 55 ed 86 0f   k.YR....k..lU...
    00a0 - 70 c6 50 94 21 44 f2 ac-28 f4 ee 59 c3 60 3f f3   p.P.!D..(..Y.`?.
    00b0 - fb f9 bd 54 89 62 44 c5-96 e9 d5 0e 4f be 17 4a   ...T.bD.....O..J

    Start Time: 1291767269
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
HEAD / HTTP/1.1
Host: www.narf.ssji.net

HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:15:08 GMT
Server: Apache
Content-Location: index.xhtml
Vary: negotiate
TCN: choice
Content-Type: application/xhtml+xml

It also works for TLS connections.

$ openssl s_client -connect SMTP:587 -starttls smtp
[... certificate details ...]
---
250 XRDST

Get remote certificate

$ echo | openssl s_client -connect HOST:PORT | sed '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!d' > HOST.crt
verify error:num=19:self signed certificate in certificate chain
verify return:0
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE----
^D
DONE

The same can be done to get the fingerprint, with some more filtering:

$ echo | openssl s_client -connect HOST:PORT | sed '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!d' | openssl x509 -fingerprint -noout
^D
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

Test Server Name indication (SNI) with HTTPS

$ echo | openssl s_client -servername VIRTUALHOST -connect localhost:443 2>/dev/null | grep CN
 0 s:/CN=VIRTUALHOST
   i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
subject=/CN=VIRTUALHOST
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
tips/ssl.txt · Dernière modification: 2015-05-01 04:37 par shtrom