Outils pour utilisateurs

Outils du site

Panneau latéral




Ham Radio






Ceci est une ancienne révision du document !

SSL Tips

Useful tasks done with SSL and OpenSSL.

Test SSL clients and servers

Provide intermediary certificates in the chain

Incomplete trust chains might trigger issues in some clients (e.g., mobiles). This happens for example, with Gandi's standard SSL certificates. But http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/sslthis is easily solved.

Gandi's intermediate CA certificate is needed:

$ <in>wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem</in>

And Apache needs to be told to provide it

  <VirtualHost *:443>
        ServerName www.example.net
        SSLEngine on
        SSLCertificateChainFile /PATH/TO/GandiStandardSSLCA.pem
        SSLVerifyClient None

Alternatively, the intermediate certificate can be concatenated with the server certificate, which is then served normally:

$ cat GandiStandardSSLCA.pem $SERVER.crt

Apache however doesn't appear to serve it properly (but I didn't check thoroughly as the other approach worked).


Key and certificate manipulation

The key

$ <in>export SERVER=`hostname -f`</in>
$ <in>openssl genrsa -out /etc/ssl/private/$SERVER.key 4096</in>

The certificate request

Several AltNames for a single certificate

From (there).

In /etc/ssl/openssl-$SERVER.cnf (or the system's, but it's not as tidy):

req_extensions = v3_req


[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate...
subjectAltName          = @alt_names


The certificate request is then generated as usual, but the custom configuration file is specified.

$ <in>openssl req -config /etc/ssl/openssl-$SERVER.cnf -new -key /etc/ssl/private/$SERVER.key -out /etc/ssl/$SERVER.csr</in>

The certificate

$ <in>openssl x509 -config /etc/ssl/openssl-$SERVER.cnf -req -days 1000 -in /etc/ssl/$SERVER.csr -signkey /etc/ssl/private/$SERVER.key -out /etc/ssl/$SERVER.crt</in>

Convert a binary certificate to PEM

$ <in>openssl x509 -inform der -in /etc/ssl/$SERVER.crt -out /etc/ssl/$SERVER.pem</in>

Reference: How to generate self-signed SSL certificates

Change a key's passphrase

$ <in>openssl rsa -in /etc/ssl/private/$SERVER.key -out /etc/ssl/private/$SERVER-newpass.key -passout "pass:PASS"</in>

Read the content of a certificate request/certificate/key

$ <in>openssl req|x509|rsa -in /etc/ssl/$SERVER.crt -text</in>

Manually connect to an SSL secured port

$ <in>openssl s_client -connect www.narf.ssji.net:443</in>
Certificate chain
 0 s:/CN=distant-sun.narf.ssji.net
   i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
Server certificate
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
No client certificate CA names sent
SSL handshake has read 2983 bytes and written 409 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C68B84A9F17B7F2FB2B5E043272B41BC37C34AA826D6B6458C321DE103BD95FC
    Master-Key: E9BFE1B8E6E7B26895541B5E87CC76D7E9E5FD620DE9BB5BDA2B2CFC446F17323CE79717466F8EEC828C1FC2C9E8C770
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 37 a3 3f ae ad 81 6d 0d-97 36 10 44 6f 58 ec 49   7.?...m..6.DoX.I
    0010 - d0 74 e0 c6 d5 e6 76 a5-44 a7 1b b6 55 51 f5 65   .t....v.D...UQ.e
    0020 - 75 b0 f1 57 29 01 80 24-a1 bd 67 bf b6 9c b8 50   u..W)..$..g....P
    0030 - 67 f4 87 31 25 d2 0e ac-53 ab 1f 39 97 65 3d 38   g..1%...S..9.e=8
    0040 - a8 87 85 5b f3 7e ec a9-9d bc 01 1b fd e7 dc 0b   ...[.~..........
    0050 - 4b ac 1e ea f9 8c 2f 6c-83 33 c3 45 ce 95 b2 7e   K...../l.3.E...~
    0060 - 9c 51 04 f0 14 9e 0d 03-fb f5 a8 ed 6d b1 90 f3   .Q..........m...
    0070 - 08 3f 47 3b a9 91 f9 d8-99 dc 73 1b a9 86 f6 b0   .?G;......s.....
    0080 - 13 38 30 ae f1 e3 b8 34-7c c2 64 3c 4c ea 8a 10   .80....4|.d<L...
    0090 - 6b e1 59 52 d8 89 f3 9f-6b 17 c7 6c 55 ed 86 0f   k.YR....k..lU...
    00a0 - 70 c6 50 94 21 44 f2 ac-28 f4 ee 59 c3 60 3f f3   p.P.!D..(..Y.`?.
    00b0 - fb f9 bd 54 89 62 44 c5-96 e9 d5 0e 4f be 17 4a   ...T.bD.....O..J
    Start Time: 1291767269
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
<in>HEAD / HTTP/1.1
Host: www.narf.ssji.net
</in>HTTP/1.1 200 OK
Date: Wed, 08 Dec 2010 00:15:08 GMT
Server: Apache
Content-Location: index.xhtml
Vary: negotiate
TCN: choice
Content-Type: application/xhtml+xml

It also works for TLS connections.

$ <in>openssl s_client -connect SMTP:587 -starttls smtp</in>
[... certificate details ...]

Get remote certificate

$ <in>openssl s_client -connect HOST:PORT | sed '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!d' > HOST.crt</in>
verify error:num=19:self signed certificate in certificate chain
verify return:0

The same can be done to get the fingerprint, with some more filtering:

$ <in>openssl s_client -connect HOST:PORT | sed '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!d' | openssl x509 -fingerprint</in>
verify error:num=19:self signed certificate in certificate chain
verify return:0
SHA1 Fingerprint=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

Test Server Name indication (SNI) with HTTPS

$ echo | openssl s_client -servername VIRTUALHOST -connect localhost:443 2>/dev/null | grep CN
   i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
tips/ssl.1413949428.txt.gz · Dernière modification: 2014-10-22 03:43 par oliviermehani