Useful tasks done with SSL and OpenSSL.
Qualys SSL Labs'
Incomplete trust chains might trigger issues in some clients (e.g., mobiles). This happens for example, with Gandi's standard SSL certificates. But http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/sslthis is easily solved.
Gandi's intermediate CA certificate is needed:
$ <in>wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem</in>
And Apache needs to be told to provide it
<VirtualHost *:443> ServerName www.example.net [...] SSLEngine on [...] SSLCertificateChainFile /PATH/TO/GandiStandardSSLCA.pem SSLVerifyClient None </VirtualHost>
Alternatively, the intermediate certificate can be concatenated with the server certificate, which is then served normally:
$ cat $SERVER.crt GandiStandardSSLCA.pem
# Stop using SSLv2 and SSLv3 (POODLE) SSLProtocol -SSLv2 -SSLv3 # Disable weak Cpihers SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLInsecureRenegotiation off
$ <in>export SERVER=`hostname -f`</in> $ <in>openssl genrsa -out /etc/ssl/private/$SERVER.key 4096</in>
From (there).
In /etc/ssl/openssl-$SERVER.cnf
(or the system's, but it's not as tidy):
[req] ... req_extensions = v3_req ... [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment # Some CAs do not yet support subjectAltName in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate... subjectAltName = @alt_names [alt_names] DNS.1 = IPADDRESS DNS.2 = SECONDNAME DNS.3 = THIRDNAME ...
The certificate request is then generated as usual, but the custom configuration file is specified.
$ <in>openssl req -config /etc/ssl/openssl-$SERVER.cnf -new -key /etc/ssl/private/$SERVER.key -out /etc/ssl/$SERVER.csr</in>
$ <in>openssl x509 -config /etc/ssl/openssl-$SERVER.cnf -req -days 1000 -in /etc/ssl/$SERVER.csr -signkey /etc/ssl/private/$SERVER.key -out /etc/ssl/$SERVER.crt</in>
$ <in>openssl x509 -inform der -in /etc/ssl/$SERVER.crt -out /etc/ssl/$SERVER.pem</in>
Reference: How to generate self-signed SSL certificates
$ <in>openssl rsa -in /etc/ssl/private/$SERVER.key -out /etc/ssl/private/$SERVER-newpass.key -passout "pass:PASS"</in>
$ <in>openssl req|x509|rsa -in /etc/ssl/$SERVER.crt -text</in>
$ <in>openssl s_client -connect www.narf.ssji.net:443</in> CONNECTED(00000003) --- Certificate chain 0 s:/CN=distant-sun.narf.ssji.net i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/CN=distant-sun.narf.ssji.net issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- No client certificate CA names sent --- SSL handshake has read 2983 bytes and written 409 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: C68B84A9F17B7F2FB2B5E043272B41BC37C34AA826D6B6458C321DE103BD95FC Session-ID-ctx: Master-Key: E9BFE1B8E6E7B26895541B5E87CC76D7E9E5FD620DE9BB5BDA2B2CFC446F17323CE79717466F8EEC828C1FC2C9E8C770 Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 37 a3 3f ae ad 81 6d 0d-97 36 10 44 6f 58 ec 49 7.?...m..6.DoX.I 0010 - d0 74 e0 c6 d5 e6 76 a5-44 a7 1b b6 55 51 f5 65 .t....v.D...UQ.e 0020 - 75 b0 f1 57 29 01 80 24-a1 bd 67 bf b6 9c b8 50 u..W)..$..g....P 0030 - 67 f4 87 31 25 d2 0e ac-53 ab 1f 39 97 65 3d 38 g..1%...S..9.e=8 0040 - a8 87 85 5b f3 7e ec a9-9d bc 01 1b fd e7 dc 0b ...[.~.......... 0050 - 4b ac 1e ea f9 8c 2f 6c-83 33 c3 45 ce 95 b2 7e K...../l.3.E...~ 0060 - 9c 51 04 f0 14 9e 0d 03-fb f5 a8 ed 6d b1 90 f3 .Q..........m... 0070 - 08 3f 47 3b a9 91 f9 d8-99 dc 73 1b a9 86 f6 b0 .?G;......s..... 0080 - 13 38 30 ae f1 e3 b8 34-7c c2 64 3c 4c ea 8a 10 .80....4|.d<L... 0090 - 6b e1 59 52 d8 89 f3 9f-6b 17 c7 6c 55 ed 86 0f k.YR....k..lU... 00a0 - 70 c6 50 94 21 44 f2 ac-28 f4 ee 59 c3 60 3f f3 p.P.!D..(..Y.`?. 00b0 - fb f9 bd 54 89 62 44 c5-96 e9 d5 0e 4f be 17 4a ...T.bD.....O..J Start Time: 1291767269 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- <in>HEAD / HTTP/1.1 Host: www.narf.ssji.net </in>HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:15:08 GMT Server: Apache Content-Location: index.xhtml Vary: negotiate TCN: choice Content-Type: application/xhtml+xml
It also works for TLS connections.
$ <in>openssl s_client -connect SMTP:587 -starttls smtp</in> [... certificate details ...] --- 250 XRDST
$ <in>echo | openssl s_client -connect HOST:PORT | sed '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!d' > HOST.crt</in> verify error:num=19:self signed certificate in certificate chain verify return:0 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE---- <in>^D</in> DONE
The same can be done to get the fingerprint, with some more filtering:
$ <in>echo | openssl s_client -connect HOST:PORT | sed '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!d' | openssl x509 -fingerprint -noout</in> <in>^D</in> verify error:num=19:self signed certificate in certificate chain verify return:0 DONE SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33
$ <in>echo | openssl s_client -servername VIRTUALHOST -connect localhost:443 2>/dev/null | grep CN</in> 0 s:/CN=VIRTUALHOST i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root subject=/CN=VIRTUALHOST issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root